SmartPPC Pro 'username' Input Validation Holes Permit Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1015259
|
|
SecurityTracker URL: http://securitytracker.com/id?1015259
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Nov 24 2005
|
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Exploit Included: Yes
|
Description: BiPi_HaCk of Nightmare TeAmZ reported a vulnerability in SmartPPC Pro. A remote user can conduct cross-site scripting attacks.
Several scripts do not properly filter HTML code from user-supplied input before displaying the input. A remote user can create
a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's
browser. The code will originate from the site running the SmartPPC Pro software and will run in the security context of that site.
As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with
the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the
target user.
The 'username' field in 'directory.php', 'frames.php', and 'search.php' is affected.
A demonstration exploit
URL is provided:
http://[target]/[Path]/search.php?keywords=1&username=--><script>alert('Hacked By
Nightmare TeAmZ');</script>&alt_search=1&submitLuck=I%27m%20Was%20
Hacked
|
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the
SmartPPC Pro software, access data recently submitted by the target user via web form to the site, or take actions on the site acting
as the target user.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.orbitscripts.com/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: "brian walter" <bipicciuti@hotmail.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 23 Nov 2005 22:38:08 +0100
From: "brian walter" <bipicciuti@hotmail.com>
Subject: SmartPPC Pro Xss
|
------------------------------------------------------
Nightmare TeAmZ Advisory 017
------------------------------------------------------
Date - 11/2005
SmartPPC Pro Xss
AFFECTED PRODUCTS
=================
SmartPPC Pro
http://www.orbitscripts.com
Overview:
========
SmartPPC Standard is a full-featured Pay Per Click Search Engine with extended
functionality. This script is easy enough for a novice to maintain but has the features
and power suitable for PPC pros. SmartPPC is the solution for customers tired of the
limitations of other PPC scripts, and customers tired of chasing down the bugs in their
custom developed PPC search engines. This version has been sold for two years, and our
customers have earned several million dollars using it. All known bugs were fixed
during these two years. SmartPPC Standard runs from a different core than our popular
SmartPPC Lite script. We'd like to emphasize the following important features:
Xss Vulnerable Path:
========
/directory.php?username=[XSS]
/frames.php?username=[XSS]
/search.php?username=[XSS]
Poof:
========
http://www.[Host].com/[Path]/search.php?keywords=1&username=--><script>alert('Hacked By
Nightmare TeAmZ');</script>&alt_search=1&submitLuck=I%27m%20Was%20Hacked
Solution:
========
1. Venditor Not Contacted
Credits
=======
This vulnerability was discovered and researched by
BiPi_HaCk of Nightmare TeAmZ
We're: BiPi_HaCk - r3d_4Ss4ult3r - Sub_Z3r0
Site: http://www.NightmareSecurity.net <--IT Security Forum
_________________________________________________________________
Personalizza MSN Messenger con sfondi e fotografie! http://www.ilovemessenger.msn.it/
|
|
