PHP Code Execution and Multiple XSS in ShoutLIVE

Summary

Vulnerability
PHP Code Execution and Multiple XSS in ShoutLIVE
Discovered
2006.02.24
Last Update
2006.03.06 Exploitation code published
ID
EV0087
CVE
CVE-2006-0940 CVE-2006-0941
Risk Level
high
Type
PHP Code Execution
Status
Unpatched. No reply from developer(s)
Vendor
n/a
Vulnerable Software
ShoutLIVE (http://cynic.x10hosting.com/downloadfile.php?file=phpscripts/ShoutLIVE.zip)
Version
1.1.0
PoC/Exploit
Available
Solution
Not available
Discovered by
Aliaksandr Hartsuyeu (eVuln.com)

Description

PHP Code Execution found in ShoutLIVE (http://cynic.x10hosting.com/downloadfile.php?file=phpscripts/ShoutLIVE.zip) script.

1. PHP Code Execution

Vulnerable Script: savesettings.php

All user-defined variables are not sanitized before being written into settings.php
This can be used to inject arbitrary PHP code.

System access is possible.


2. Multiple Cross-Site Scripting

Vulnerable Script: post.php

All user-defined variables are not sanitized when posting new message. This can be used to inject arbitrary HTML or JavaScript code.

PoC/Exploit

1. PHP Code Execution Example.

<form method=POST action=http://[host]/savesettings.php>
<input name=admin_pword value='asd"; [code] $a="'>
</form>


2. Multiple Cross-Site Scripting

URL: http://[host]/index.php
First name: [XSS]
Web Site: javascript:[script]
Message: [XSS]

Solution.

Solution for "PHP Code Execution and Multiple XSS in ShoutLIVE" is not available. Check vendor's website for updates.