('binary' encoding is not supported, stored as-is) [INTRO]

Some of you may be familiar with Pafiledb provided by
PHP arena. Well they just released a new version that
fixed a problem with their counting of files. Along
with that they said they fixed a possible security bug
involving using Javascript as a search string. I
checked it on my old version and it is infact there, so
I updated to the new version so the bugs can be fixed
and I checked it and it no longer works. I figured
where there is one there are bound to be others so I
went searching.

[Discovery]

I discoverd that there are three other XSS
vulnerabilities within the software wich can be
performed by editing the URL of three different sections.

AFFECTED:

* Rate File
* Email to Friend
* Download

UNAFFECTED:

* Stats

[Exploit]

http://ersatz.n3t.net/downloads/pafiledb.php?action=rate&id=4?"<script>alert('Testing')</script>"
http://ersatz.n3t.net/downloads/pafiledb.php?action=email&id=4?"<script>alert('Testing')</script>"
http://ersatz.n3t.net/downloads/pafiledb.php?action=download&id=4?"<script>alert('Testing')</script>"

I discovered this by clicking at first the link to
email to a friend and then removed everything out of
the URL after &id=4 and added
?<script>alert('Testing')</script>" and just as i
expected it worked. I moved on to email to a friend the
same way and it worked and then I proceded to make the
change
action=download&id=4?"<script>alert('Testing')</script>"
and again it worked. I then decided to check stats and
to my surprise there it did not work.

[END]

I have not contacted php arena as of yet but i am about
to, hopefully since they fixed it in the search feild
all they should have to do is release the code or apply
it themselves and then come out with an update. Wich
shouldnt take long. I hope

Another XSS vulnerability provided by ersatz
ersatzn3t.net
http://ersatz.n3t.net :: A nice place to chill out and
learn something new

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]