Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21750
HistoryApr 29, 2009 - 12:00 a.m.

Reporting new vulnerabilities

2009-04-2900:00:00
vulners.com
124

Hi SecurityVulns team,

I write to report three vulnerabilities that I found in the last version
of Aardvark Topsites PHP(5.2.1) and older versions.

The cause of all of them is the incorrect verification of input parameters.

Here are the vulnerabilities:

HTML Injection (up to 5.2.0)

For example, is possible to inject a link to any URL with any anchor text.

POC:
/index.php?a=search&q=psstt+security”><a+href%3Dhttp%3A%2F%2Fwebsec.id3as.com>Web-Application-Security

Information Disclosure 1 (up to 5.2.1)

Disclosure of full path of the application sources when you put a
negative number at the ’start’ parameter.

POC: /index.php?a=search&q=psstt&start=-4

Information Disclosure 2 (up to 5.2.0)

Disclosure of full path of the application sources and some source code
too when you put an non-existent user at ‘u’ parameter.

POC: /index.php?a=rate&u=nonexistentuser

I created a page with the details:
http://websec.id3as.com/aardvark-topsites-php-521-security-vulnerabilities-disclosure/

Feel free to ask me any question about this to properly report this
vulnerabilities.

Google Dork: "Powered by Aardvark Topsites PHP 5.2.0"
(or 5.2.1 for the last version)

Thanks,
José Pablo González