'PC-EXPERIENCE/TOPPE CMS Security Advisory'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    PC-EXPERIENCE/TOPPE CMS Security Advisory
From:       rat () marocmaffia ! com
Date:       2005-07-30 15:09:50
Message-ID: 20050730150950.25424.qmail () securityfocus ! com
[Download RAW message or body]




# PC-EXPERIENCE/TOPPE CMS Security Advisory
# By : Morinex
# E-Mail : rat@marocmaffia.com
# Date : 30-07-2K5 ( so lazzy this summer )
# Shoutz : Woopie , sirh0t , 00pz , V1su4l and the gay´s of 0x1fe. I hate them so \
much isnt Falesco ? 0x1fe.com :)

Vulnerabilities


* User-ID Bypassing ( remote )
* Cross Site Scripting ( local )


We have founded a USER-ID disclosure and a XXS vuln. on the PM. I dont have time
to tell the full story about PCXP/TOPPE CMS so let´s tell a brief history about this \
CMS. The CMS was coded by Alex of PCXP and after that he made it public for everyone.
Later there was a guy named Toppe who modded the source and recoded the admin. Dunno \
if its true but i heard a lot about this gay on wmc´s but anyway lets take a look on \
the vuln´s.


Download the PC-XP source V2 on :  http://members.lycos.nl/toppecms/pcexpv2.rar ( \
"Modded" ) Download the PC-XP source V1.15 on : \
http://members.lycos.nl/toppecms/pcxv1.15.zip




# USER-ID BYPASSING  ( remote )


Let´s start directly . We are gonna get acces on every user-id i want on a \
PC-XP/TOPPE cms. Let´s visit one target. wmhulp dot nl , hmmz now we are gonna check \
the cookie of wmhulp. C:\Documents and Settings\Morinex\Cookies , and i found this \
cookie on it :

wmhulp.nl  FALSE  /  FALSE  1144851286  hash  81859
wmhulp.nl  FALSE  /  FALSE  1144851286  id  48
wmhulp.nl  FALSE  /  FALSE  1144851286  wachtwoord  098f6bcd4621d373cade4e832627b4f6

as we see i am user ID 48 (registered before ) and my password is \
098f6bcd4621d373cade4e832627b4f6 (md5) . If u cat login.php and scroll down u will \
see this "if($assoc['userid'] == $_COOKIE['id'] AND $actie == bekijk){ " If u have a \
litle php exp u will see that $actie only is checking if the userid and cookie are \
the same. So its easy to exploit just edit 48 with ure own ID number . U can see ure \
ID number on the members list ( ledenlijst.php ) . After that we save the cookie and \
visit the page i am logged in with the userid i want. We have now full acces on \
PCXP/TOPPE CMS. Take a look on the admin page ;> or kind of that.


# Cross Site Scripting Vuln. ( local )

This one is located on the pm page. ( pm.php )
Javascript is enabled so we can easy steal cookie´s. Im not here to explain how but \
as u see we can run javascript on it so its vuln for XSS attack´s. Just enter this on \
the $msg <script>alert(document.cookie)</script> and he will see a alert.




# Solution


There is no solution at the moment and there will not come one.
PX-XP is stopped a long long time ago and TOPPE is not happy when we are spreading \
the CMS to the public. The only solution for this one is stopping using this CMS and \
take a look on PHPNUKE, MAMBO etc. ffs he is self using now Mambo CMS on his mainpage \
( toppedotnl )


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic