Home page logo

bugtraq logo Bugtraq mailing list archives

From: rat () marocmaffia com
Date: 30 Jul 2005 15:09:50 -0000

# By : Morinex
# E-Mail : rat () marocmaffia com
# Date : 30-07-2K5 ( so lazzy this summer )
# Shoutz : Woopie , sirh0t , 00pz , V1su4l and the gay´s of 0x1fe. I hate them so much isnt Falesco ? 0x1fe.com :)


* User-ID Bypassing ( remote )
* Cross Site Scripting ( local )

We have founded a USER-ID disclosure and a XXS vuln. on the PM. I dont have time
to tell the full story about PCXP/TOPPE CMS so let´s tell a brief history about this CMS.
The CMS was coded by Alex of PCXP and after that he made it public for everyone.
Later there was a guy named Toppe who modded the source and recoded the admin. Dunno if its true but i heard a lot 
about this gay on wmc´s but anyway lets take a look on the vuln´s.

Download the PC-XP source V2 on :  http://members.lycos.nl/toppecms/pcexpv2.rar ( "Modded" )
Download the PC-XP source V1.15 on : http://members.lycos.nl/toppecms/pcxv1.15.zip

# USER-ID BYPASSING  ( remote )

Let´s start directly . We are gonna get acces on every user-id i want on a PC-XP/TOPPE cms.
Let´s visit one target. wmhulp dot nl , hmmz now we are gonna check the cookie of wmhulp.
C:\Documents and Settings\Morinex\Cookies , and i found this cookie on it :

wmhulp.nl  FALSE  /  FALSE  1144851286  hash  81859
wmhulp.nl  FALSE  /  FALSE  1144851286  id  48
wmhulp.nl  FALSE  /  FALSE  1144851286  wachtwoord  098f6bcd4621d373cade4e832627b4f6

as we see i am user ID 48 (registered before ) and my password is 098f6bcd4621d373cade4e832627b4f6 (md5) .
If u cat login.php and scroll down u will see this "if($assoc['userid'] == $_COOKIE['id'] AND $actie == bekijk){ "
If u have a litle php exp u will see that $actie only is checking if the userid and cookie are the same. So its easy to 
just edit 48 with ure own ID number . U can see ure ID number on the members list ( ledenlijst.php ) .
After that we save the cookie and visit the page i am logged in with the userid i want. We have now full acces on 
Take a look on the admin page ;> or kind of that.

# Cross Site Scripting Vuln. ( local )

This one is located on the pm page. ( pm.php )
Javascript is enabled so we can easy steal cookie´s. Im not here to explain how but as u see
we can run javascript on it so its vuln for XSS attack´s. Just enter this on the $msg
<script>alert(document.cookie)</script> and he will see a alert.

# Solution

There is no solution at the moment and there will not come one.
PX-XP is stopped a long long time ago and TOPPE is not happy when we are spreading the CMS to the public.
The only solution for this one is stopping using this CMS and take a look on PHPNUKE, MAMBO etc. ffs he is self
using now Mambo CMS on his mainpage ( toppedotnl )

  By Date           By Thread  

Current thread:
  • PC-EXPERIENCE/TOPPE CMS Security Advisory rat (Jul 30)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]