#####################################
# CHT Security Research Center-2004 #
# http://www.CyberSpy.Org           #
# Turkey                            #
#####################################

Software:
CoolPHP

Web Site:
http://cphp.sourceforge.net/

Affected Version(s):
1.0-stable

Description:
CoolPHP is a PHP based portal system.It requires A Web server with PHP>=PHP4
support and MySQL.
It's compatible with *NIX and NT.

Multiple Vulnerabilities in CoolPHP:

Cross-Site Scripting vulnerability:
CoolPHP is vulnerable to cross-site scripting attacks.
It is possible to construct a link containing arbitrary script code to a website
running CoolPHP.
When a user browses the link, the script code will be executed on the user's
browser.
This vulnerability occurs due to insufficient inspection of some user-supplied
input.
As a result of this deficiency an attacker may exploit the vulnerability by
creating a specially crafted URL that includes malicious HTML code as URI
parameters for index.php

Examples:

http://[victim]/index.php?op=buscar&query=<script
language=javascript>window.alert(document.cookie);</script>
http://[victim]/index.php?op=buscar&query=%3Cscript%20language=javascript%3Ewindow.alert%28document.cookie%29;%3C/script%3E
http://[victim]/index.php?op=userinfo&nick=<script
language=javascript>window.alert(document.cookie);</script>


Path Disclosure Vulnerability:
CoolPHP is prone to a path disclosure vulnerability.
Passing invalid value for the 'op' URI parameter to the index.php file
will cause an error message to be displayed which contains physical path
information.
This information could be useful in further attacks against the system.

Demonstration:

http://[victim]/cphp/index.php?op=invparam


Local file include Vulnerability with Directory Traversal :
CoolPHP does not filter dot dot slash (../) sequences from web requests.
This problem may allow an attacker to access known files outside the server root
directory
and will permit a local attack to include malicious PHP scripts from another
local paths.

Examples:

http://[victim]/index.php?op=../../../../anotheruser/evilfile
or as URL encoded format:
http://[victim]/index.php?op=%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fanotheruser/evilfile

----
Reported By R00tCr4ck at October,16 2004
root(at)CyberSpy.Org
Original Article can be found at:
http://www.CyberSpy.Org