<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-2">
<META content="MSHTML 6.00.2743.600" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#c1cad5>
<DIV><FONT face=Arial size=2>
<DIV><FONT face=Arial size=2>-=[ SecurityReason-2005-SRA#01 ]=-</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>-=[ Multiple vulnerabilities in paFileDB
]=-</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>Author: sp3x<BR>Date: 8. March 2005</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>Affected software
:<BR>===================<BR>paFileDB version : => 3.1</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>Description :<BR>=============</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>paFileDB is designed to allow webmasters have a
database of files for download on their site. <BR>To add a download, all you do
is upload the file using FTP or whatever method you use, log<BR>into paFileDB's
admin center, and fill out a form to add a file. paFileDB lets you edit
and<BR>delete the files too. <BR>No more messing with a bunch of HTML pages for
a file database on your site! <BR>Using speedy MySQL for storing data, and
powerful PHP for processing everything, paFileDB is<BR>one of the best and
easiest ways to manage files!</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>Cross-site scripting - XSS
:<BR>============================</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>In PaFileDB there are XSS that can be used to
steal cookies and do other operations, which in<BR>normal conditions are not
permitted by browser's cross-domain security restrictions. </FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>First let's see the vuln
code.<BR>/includes/functions.php</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial
size=2>Code:<BR>-------------------------------------------------------------------------------------------------<BR>function
jumpmenu($db, $pageurl,$pafiledb_sql,$str)
{<BR> echo("<form
name=\"form1\"><BR> <select
name=\"menu1\" onChange=\"MM_jumpMenu('parent',this,0)\"
class=\"forminput\"><BR> <option
value=\"$pageurl\"
selected>$str[jump]</option><BR>
<option
value=\"$pageurl\">---------</option>");<BR>.....<BR>--------------------------------------------------------------------------------------------------</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>As we can see the $pageurl variable is vuln for
XSS.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>Examples:<BR>=========</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>XSS:<BR>----<BR><A
href='http://[target]/[pafiledb_dir]/pafiledb.php?"><script>alert();</script'>http://[target]/[pafiledb_dir]/pafiledb.php?"><script>alert();</script</A>><BR><A
href='http://[target]/[pafiledb_dir]/pafiledb.php?action="><script>alert();</script'>http://[target]/[pafiledb_dir]/pafiledb.php?action="><script>alert();</script</A>><BR><A
href='http://[target]/[pafiledb_dir]/pafiledb.php?[something]="><script>alert();</script'>http://[target]/[pafiledb_dir]/pafiledb.php?[something]="><script>alert();</script</A>><BR><A
href='http://[target]/[pafiledb_dir]/pafiledb.php?[something]=&[something]="><script>alert();</script'>http://[target]/[pafiledb_dir]/pafiledb.php?[something]=&[something]="><script>alert();</script</A>></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>and more and more....<BR>So we can enter XSS also
in non existing variable.<BR>This XSS is almost on all site because the function
jumpmenu is used in pafiledb.php<BR>- line 30 in pafiledb.php - require
"./includes/functions.php";</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>Full Path Disclosure
:<BR>======================</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>Full path to script must be kept in secret because
it can lead to successful attack on the<BR>website. If the attacker know
Full path to script , he can start searching some more info on<BR>others folders
or about the server where the site is and then try to break
in.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>Many scripts can be accessed directly and this will
provoke standard<BR>php error messages, which leads to full path disclosure.
</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>Examples :<BR>----------</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2><A
href="http://[target]/[pafiledb_dir]/pafiledb.php?str=[something">http://[target]/[pafiledb_dir]/pafiledb.php?str=[something</A>]</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>Error message
:<BR>---------------<BR>=====================================<BR>Fatal error:
Cannot use assign-op operators with overloaded objects nor string offsets
in<BR>/[patch to site]/public_html/pafiledb/lang/english.php on line
55<BR>=====================================</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2><A
href="http://[target]/[pafiledb_dir]/includes/viewall.php">http://[target]/[pafiledb_dir]/includes/viewall.php</A></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>Error message
:<BR>---------------<BR>=====================================<BR>Fatal error:
Call to undefined function: locbar() in /patch
to<BR>site/public_html/pafiledb/includes/viewall.php on line
16<BR>=====================================</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2><A
href="http://[target]/[pafiledb_dir]/includes/stats.php">http://[target]/[pafiledb_dir]/includes/stats.php</A><BR><A
href="http://[target]/[pafiledb_dir]/includes/search.php">http://[target]/[pafiledb_dir]/includes/search.php</A><BR><A
href="http://[target]/[pafiledb_dir]/includes/rate.php">http://[target]/[pafiledb_dir]/includes/rate.php</A><BR><A
href="http://[target]/[pafiledb_dir]/includes/main.php">http://[target]/[pafiledb_dir]/includes/main.php</A></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2><A
href="http://[target]/[pafiledb_dir]/includes/license.php">http://[target]/[pafiledb_dir]/includes/license.php</A></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>Error message
:<BR>---------------<BR>=====================================<BR>Fatal error:
Call to a member function on a non-object in /patch
to<BR>site/public_html/pafiledb/includes/license.php on line
12<BR>=====================================</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2><A
href="http://[target]/[pafiledb_dir]/includes/category.php">http://[target]/[pafiledb_dir]/includes/category.php</A><BR><A
href="http://[target]/[pafiledb_dir]/includes/download.php">http://[target]/[pafiledb_dir]/includes/download.php</A><BR><A
href="http://[target]/[pafiledb_dir]/includes/file.php">http://[target]/[pafiledb_dir]/includes/file.php</A><BR><A
href="http://[target]/[pafiledb_dir]/includes/email.php">http://[target]/[pafiledb_dir]/includes/email.php</A></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2><A
href="http://[target]/[pafiledb_dir]/includes/admin.php">http://[target]/[pafiledb_dir]/includes/admin.php</A></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>Error message
:<BR>---------------<BR>=====================================<BR>Warning:
main(./includes/admin/login.php): failed to open stream: No such file or
directory in<BR>/home/phparena/public_html/demo/pafiledb/includes/admin.php on
line 17</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>Warning: main(./includes/admin/login.php): failed
to open stream: No such file or directory
in<BR>/home/phparena/public_html/demo/pafiledb/includes/admin.php on line
17</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>Warning: main(): Failed opening
'./includes/admin/login.php' for
inclusion<BR>(include_path='.:/usr/lib/php:/usr/local/lib/php')
in<BR>/home/phparena/public_html/demo/pafiledb/includes/admin.php on line
17<BR>======================================</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>How to fix :<BR>============</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>XSS :<BR>-----</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>give this in function jumpmenu -> file
/includes/functions.php</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>$pageurl=htmlspecialchars($pageurl)</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>Function should look like this :</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>Code
:<BR>-------------------------------------------------------------------------------------------------<BR>function
jumpmenu($db, $pageurl,$pafiledb_sql,$str)
{<BR>
$pageurl=htmlspecialchars($pageurl);
<BR> echo("<form
name=\"form1\"><BR> <select
name=\"menu1\" onChange=\"MM_jumpMenu('parent',this,0)\"
class=\"forminput\"><BR> <option
value=\"$pageurl\"
selected>$str[jump]</option><BR>
<option
value=\"$pageurl\">---------</option>");<BR>.....<BR>--------------------------------------------------------------------------------------------------</FONT></DIV>
<DIV> </DIV><FONT face=Arial size=2>
<DIV><BR>Download the new version of the script or update.</DIV>
<DIV> </DIV>
<DIV>Vendor :<BR>========</DIV>
<DIV> </DIV>
<DIV>No respond</DIV>
<DIV> </DIV>
<DIV>Greetz :<BR>========</DIV>
<DIV> </DIV>
<DIV>Special greetz : cXIb8O3 (we are starting man :] ), pkw (you now :])</DIV>
<DIV> </DIV>
<DIV>Contact :<BR>=========</DIV>
<DIV> </DIV>
<DIV>sp3x[at]securityreason[dot].com<BR><A
href="http://www.securityreason.com">www.securityreason.com</A><BR></FONT></DIV></FONT></DIV></BODY></HTML>