SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   PHPCounter Vendors:   ekstreme.com
PHPCounter Input Validation Hole in EpochPrefix Parameter Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1014478
SecurityTracker URL:  http://securitytracker.com/id/1014478
CVE Reference:   CVE-2005-2288, CVE-2005-2289   (Links to External Site)
Updated:  Jun 24 2008
Original Entry Date:  Jul 14 2005
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 7.2
Description:   An input validation vulnerability was reported in PHPCounter. A remote user can conduct cross-site scripting attacks. A remote user can also determine the installation path.

The script does not properly filter HTML code from user-supplied input in the EpochPrefix parameter. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the PHPCounter software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

http://[target]/CounterDirectory/index.php?Plugin=All%20Hits&EpochPrefix="></a></div><script>a=/XSS/%0aalert(a.sour

A remote user can supply the following type of URL to cause the system to disclose the installation path:

http://[target]/CounterPath/prelims.php

priestmaster reported this vulnerability.
Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the PHPCounter software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.ekstreme.com/phplabs/phpcounter.php (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents
Subject:  Path Disclosure and XSS problem in PHP Counter 7.2


------------------------------------------------------------------------
This mail message contains standard MIME attachments.  If you see this
note, your e-mail program does not support MIME.  You may need a MIME-
compliant mail reader to read any non-text attachments in this message.
------------------------------------------------------------------------

--==IMail_v8.1==
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

I found two vulnerabillities in PHP Counter 7.2

PHP Counter Vendor:
http://www.ekstreme.com/phplabs/phpcounter.php

First an XSS problem (file phpcounterxss.txt)
Second a Path disclosure vulnerabillity (file phpcounterdir.txt).

greets,

priestmaster

Mail: <priest@priestmaster.org>
URL:  http://www.priestmaster.org 
             

--==IMail_v8.1==
Content-Type: text/plain; name="phpcountxss.txt"
Content-Transfer-Encoding: 7bit

----------------------------------------------------------
---- Team priestmasters PHP Counter 7.2 XSS Advisorie ----
----------------------------------------------------------

PHP Counter Vendor:
http://www.ekstreme.com/phplabs/phpcounter.php

PHP Counter 7.2 does not filter "<>" tags in EpochPrefix
parameter. Cross site scripting and HTML injection is possible.

Exploitation:

http://www.yourwebsite.org/CounterDirectory/index.php?Plugin=All%20Hits&EpochPrefix="></a></div><script>a=/XSS/%0aalert(a.source)</script>

The injected script is called multiple times.

XSS is hard to do because ' and " are filtered.

greets,

priestmaster

URL:   http://www.priestmaster.org
Email: priest@priestmaster.org

--==IMail_v8.1==
Content-Type: text/plain; name="phpcountdir.txt"
Content-Transfer-Encoding: 7bit

------------------------------------------------------------
-------- Team priestasters PHP Counter 7.2 Advisorie -------
---------------- Path disclosure vulnerabillity ------------
------------------------------------------------------------

PHP Counter Vendor:
http://www.ekstreme.com/phplabs/phpcounter.php

A Path disclosure vuln exist in prelims.php
Exploitation is simple:

http://www.yoursite.com/CounterPath/prelims.php

Output look like this:

Fatal error: Call to undefined function: getdawn()
in /home/.sites/165/site223/web/Counter/prelims.php on line 63

That's all :-)

priestmaster

--==IMail_v8.1==--


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC