facebook facebook twitter rss

Profiler v1.0 Multi Vulnerability

Author: indoushka , Published: 25-10-2014
Profiler v1.0 Multi Vulnerability
==================================
Author : indoushka
Vondor : www.p30vel.ir
Dork : Copyright (C) 2012 Ozgur Zeren (unity100@gmail.com)
======================================

Cross site scripting [stored] (verified) :

This vulnerability affects /profiler/ADMIN/avatar.php.

Attack details :

POST (multipart) input avatar_image was set to 61191375145908.jpg" onmouseover=prompt(961973) bad="
The input is reflected in http://127.0.0.1/profiler/ADMIN/avatar.php
The input is reflected inside a tag parameter between double quotes.

This vulnerability affects /profiler/ADMIN/portfolio_categories.php.

Attack details :

URL encoded POST input category_title was set to Mr.--><ScRiPt >prompt(974767)</ScRiPt><!--
The input is reflected in http://127.0.0.1/profiler/ADMIN/portfolio.php?do=add
The input is reflected inside a comment element.

URL encoded POST input contact_information was set to 1</textarea><ScRiPt >prompt(932298)</ScRiPt>
The input is reflected in http://127.0.0.1/profiler/ADMIN/setting.php
The input is reflected inside <textarea> tag.

This vulnerability affects /profiler/ADMIN/skills.php.

Attack details :

URL encoded POST input skill_title was set to Mr.--><ScRiPt >prompt(922167)</ScRiPt><!--
The input is reflected in http://127.0.0.1/profiler/ADMIN/skills.php
The input is reflected inside a comment element.

Affected items
/profiler/ADMIN/avatar.php
/profiler/ADMIN/portfolio_categories.php
/profiler/ADMIN/setting.php
/profiler/ADMIN/skills.php
The impact of this vulnerability
Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user.

How to fix this vulnerability
Your script should filter metacharacters from user input.

File upload XSS :

This vulnerability affects /profiler/ADMIN/avatar.php.
Discovered by: Scripting (File_Upload.script).

Attack details :

Successfully uploaded file AcuTest4579.htm with content type text/html.
The file is available at: /profiler/uploads/avatar/50241412432332.htm.

HTML Form found in redirect page [high severity] :

Vulnerability description
Manual confirmation is required for this alert.

An HTML form was found in the response body of this page. However, the current page redirects the visitor to another page by returning an HTTP status code of 301/302. Therefore, all browser users will not see the contents of this page and will not be able to interact with the HTML form.

Sometimes programmers don't properly terminate the script after redirecting the user to another page. For example:
<?php
    
if (!isset($_SESSION["authenticated"])) {
        
header("Location: auth.php");
    }
?>

<title>Administration page</title>
<form action="/admin/action" method="post">
<!-- ... form inputs ... -->
</form>

<!-- ... the rest of the administration page ... -->
This script is incorrect because the script is not terminated after the "header("Location: auth.php");" line. An attacker can access the content the administration page by using an HTTP client that doesn't follow redirection (like HTTP Editor). This creates an authentication bypass vulnerability.
The correct code would be

<?php
    
if (!isset($_SESSION[auth])) {
        
header("Location: auth.php");
        exit();
    }
?>

<title>Administration page</title>
<form action="/admin/action" method="post">
<!-- ... form inputs ... -->
</form>

<!-- ... the rest of the administration page ... -->

Affected items
/profiler/ADMIN/avatar.php
/profiler/ADMIN/change_password.php
/profiler/ADMIN/portfolio_categories.php
/profiler/ADMIN/setting.php
/profiler/ADMIN/skills.php
/profiler/ADMIN/social.php

jQuery cross site scripting :

This vulnerability affects /profiler/ADMIN/js/jquery.min.js.
Discovered by: Scripting (jQuery_Audit.script).
Attack details

Pattern found:
/*!
* jQuery JavaScript Library v1.5.2
* http://jquery.com

Unrestricted file upload :

Vulnerability description
This script is possibly vulnerable to unrestricted file upload. Various web applications allow users to upload files (such as pictures, images, sounds, ...). Uploaded files may pose a significant risk if not handled correctly. A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code. Acunetix WVS was able to upload a file containing executable code and get this code executed. Check Attack details for more information about this attack.
This vulnerability affects /profiler/ADMIN/avatar.php.

Attack details :

Successfully uploaded file AcuTest5577.php with content type image/jpeg.
The file is available at: /profiler/uploads/avatar/73011412432332.php

The impact of this vulnerability
It may be possible for an attacker to use this vulnerability to execute arbitrary code.

How to fix this vulnerability
Restrict file types accepted for upload: check the file extension and only allow certain files to be uploaded. Use a whitelist approach instead of a blacklist. Check for double extensions such as .php.png. Check for files without a filename like .htaccess (on ASP.NET, check for configuration files like web.config). Change the permissions on the upload folder so the files within it are not executable. If possible, rename the files that are uploaded.

Like us on Facebook :