::: Eye On Security Research Group

Recub Version 1.0

RECUB Features.
1 RC4 Encripted Reverce connect Shell for XP,2k,2003.
2 Bypass Firewalls by starting new instance of Internet explorer and injecting code

And Many More

Download (Win32 Version)

For Unix Version : Click Here

Date: 10/12/03
Product : XOOPS 2.0.5.1
Vendor : www.xoops.org
Discovered By : Chintan Trivedi - chesschintan [at] hotmail.com

===========================================================
Advisory by Eye On Security Research Group - India www.eos-india.net
===========================================================

1...............................................................Product
2................................................................Vendor
3.........................................................Vulnerability
4.........................................................About Product
5..............................................Details of vulnerability
6...............................................................Exploit
7...............................................................Credits

1. Product
==========

XOOPS 2.0.5.1

2. Vendor
=========

www.xoops.org

3. Vulnerability
================

XSS vulnerability in module weblinks

4. About XOOPS
==============

XOOPS is a dynamic OO (Object Oriented) based open source portal script written in PHP. XOOPS supports a number of databases, making XOOPS an ideal tool for developing small to large dynamic community websites, intra company portals, corporate portals, weblogs and much more.

5. Details of vulnerability
===========================

The weblinks module contains a file named "myheader.php" in /modules/mylinks/ directory. The code of the file is as follow :

---------------------------------
include "../../mainfile.php";
$url = $HTTP_GET_VARS['url'];
$lid = intval($HTTP_GET_VARS['lid']);
.
.
.
<td class='bg4' align="center"><small>
<a target="main" href="ratelink.php?cid=<? echo $cid; ?>&lid=<? echo $lid; ?>"><? echo _MD_RATETHISSITE; ?></a> | <a target="main" href="modlink.php?lid=<? echo $lid; ?>"><? echo _MD_MODIFY; ?></a> | <a target="main" href="brokenlink.php?lid=<? echo $lid; ?>"><? echo _MD_REPORTBROKEN; ?></a> | <a target='_top' href='mailto:?subject=<? echo $mail_subject; ?>&body=<? echo $mail_body;?>'><? echo _MD_TELLAFRIEND; ?></a> | <a target='_top' href="<? echo XOOPS_URL; ?>">Back to <? echo $xoopsConfig['sitename']; ?></a> | <a target='_top' href="<? echo $url; ?>">Close Frame</a>
</small>
.
.
-----------------------------------

The value for variable "url" is used in line
<a target='_top' href="<? echo $url; ?>">Close Frame</a>

Thus an attacker can pass a javascript code as a value for variable url and get it executed as soon as the victim clicks the "Close Frame" link.

6. Exploit
==========

http://[target]/modules/mylinks/myheader.php?url=javascript:alert(document.cookie);

Clicking the above link, the victim gets directed to a page containing a link "Close Frame" which is actually the javascript code inserted by the attacker. The cookie revealed is quite informatic for the attacker to login with the hijacked user (including admin) privileges.

7. Credits
==========

Chintan Trivedi - http://www.hackersprogrammers.com
"Eye on Security Research Group - India " - www.eos-india.net

Cross Site Scripting vulnerability in bb_func_usernfo.php

XSS Bug in XOOPS 1.0.5.1

Mambo Open Source 4.0.14 Webserver SQL injection.

Ltrace buffer overrun bug.

06.05.2004: Pound <=1.5 remote format string exploit (public version)

01.05.2004: X-Chat 1.8.0 - 2.0.8 Remote Exploit

06.04.2004: Monit <= 4.2 Basic Authentication - Username overflow remote root exploit

28.03.2004: Ethereal 0.10.0-0.10.2 IGAP Dissector Message Overflow Remote Root Exploit

02.3.2004: PSO-Proxy 0.9 PoC Remote Exploit