[This was originally published on OSVDB, now gone, and touched up for style. VulnDB 18533, 18534, 18535, 18536]
During communication with the vendor of Whois.Cart regarding previous entries, Alexandre Lemaire was very helpful and prompt in providing information for the OSVDB team to resolve outstanding questions. During the communication, a few low concern issues were found. Mr. Lemaire and his team fixed the issues within one hour of my mail.
From: security curmudgeon jericho[at]attrition.org
To: S. Alexandre M. Lemaire saeven[at]saeven.net
Cc: Mods moderators[at]osvdb.org
Date: Fri, 8 Jul 2005 02:01:03 -0400 (EDT)
Subject: [OSVDB Mods] Re: [Change Request] 17460: Whois.Cart language Variable Traversal Arbitrary File Access
In the mean time, while poking around http://whoiscart.net/demo/ I did
find some other valid XSS vulnerabilities.
/demo/admin/index.php “domains” option, clicking the + on the left then putting in as the domain name will create a persistent XSS. Clicking ‘save’ returns me to the demo main page and pops up my vulnerable warning. Each time that page loads, the script pops up again until I delete the domain.
Clicking the “hosts” option, create a new plan (or cyclic fee, or target) with the same script code, and it will render the script twice.
Clicking the “hosting” option, “Add Line to Hosting Plans”, the same script in the ‘Package’ field will render. THe “HKey” variable and others may be as well (difficult to tell if it’s the previous script rendering or new input).
The info.php page also provides a lot of information routinely considered sensitive (to the security community) including the installation path, configuration options, versions and more.
During one of these XSS attempts, a portion of SQL syntax appeared at the top of the page as well which hints at a possible SQL injection scenario.
From: S. Alexandre M. Lemaire saeven[at]saeven.net
To: security curmudgeon jericho[at]attrition.org
Date: Fri, 8 Jul 2005 02:42:47 -0400
Subject: Re: [Change Request] 17460: Whois.Cart language Variable Traversal Arbitrary File Access
I'll have the most recent CVS snap uploaded to the server, and thank you
for your time with this. I’ve just released a patch version with respects
to your findings, thank you for having kindly conveyed them – just my luck
that you’d find something else whilst I’m trying to convince you that
something unrelated is otherwise ‘ok’.