SpotTheVuln.com » Develop Secure Code and Identify Security Vulnerabilities http://spotthevuln.com Helping Developers Understand Security Fri, 10 Feb 2012 14:50:06 +0000 en hourly 1 http://wordpress.org/?v=3.3.1 Spotthevulncomhttp://feedburner.google.com Boundaries – SQL Injection http://feedproxy.google.com/~r/Spotthevulncom/~3/WVYA-tI28Hg/ http://spotthevuln.com/2011/08/boundaries-sql-injection/#comments Mon, 08 Aug 2011 18:15:49 +0000 bkrios http://spotthevuln.com/?p=1575 Affected Software: My Calendar WordPress Plugin

Fixed in Version: >1.7.2

Issue Type: SQL Injection

Original Code: Found Here

Details

This week’s bug was a subtle mistake in the usage of an escaping routine. It seems the developer understood the dangers of SQL injection and therefore used an escaping routine to sanitize user controlled input [...]]]>

Details

Affected Software: My Calendar WordPress Plugin

Fixed in Version: >1.7.2

Issue Type: SQL Injection

Original Code: Found Here

Details

This week’s bug was a subtle mistake in the usage of an escaping routine. It seems the developer understood the dangers of SQL injection and therefore used an escaping routine to sanitize user controlled input before using that input to build a SQL statement. Unfortunately, the developer overlooked a crucial characteristic and used the wrong escaping routine. Looking at the vulnerable line, we see the following:

1
$sql = "SELECT * FROM " . WP_CALENDAR_CATEGORIES_TABLE . " WHERE category_id=".mysql_escape_string($_GET['category_id']);

As you can clearly see, the developer chose to utilize the mysql_escape_string() function to escape $_GET[‘category_id] before using category_id to build a SQL statement. Looking at the documentation (http://php.net/manual/en/function.mysql-escape-string.php) for mysql_escape_string(), we see that the specific characters escaped are: null byte (0), newline (\n), carriage return (\r), backslash (\), single quote (‘), double quote (“) and substiture (SUB, or \032). In this case, none of these characters are required in order for SQL injection to be successful. The user controlled $_GET[‘category_id’] is not enclosed in quotes, so there is no need to break out of quotes for SQL injection. For example, the attacker can pass the following:

http://path-to-server/calendar.php? category_id=1%20union%20select%201,2,3,4,5,6%20from%20users;

This would result in the following SQL statement:
SELECT * FROM WP_CALENDAR_CATEGORIES_TABLE WHERE category_id=1 union select 1,2,3,4,5,6 from users;

As you can see, the attacker can craft a valid SQL injection without using any of the characters escaped by mysql_escape_string(). The developers addressed this issue by casting the $_GET[‘category_id’] to an int before using it in a SQL statement.

If you look closely… you’ll see other, unpatched SQL injections with the same symptom littered throughout the code…

Vulnerable Code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
...snip...
     
</style>
<?php
  // We do some checking to see what we're doing
  if (isset($_POST['mode']) && $_POST['mode'] == 'add')
    {
      // Proceed with the save  
      $sql = "INSERT INTO " . WP_CALENDAR_CATEGORIES_TABLE . " SET category_name='".mysql_escape_string($_POST['category_name'])."', category_colour='".mysql_escape_string($_POST['category_colour'])."'";
      $wpdb->get_results($sql);
      echo "<div class=\"updated\"><p><strong>".__('Category added successfully','calendar')."</strong></p></div>";
    }
  else if (isset($_GET['mode']) && isset($_GET['category_id']) && $_GET['mode'] == 'delete')
    {
      $sql = "DELETE FROM " . WP_CALENDAR_CATEGORIES_TABLE . " WHERE category_id=".mysql_escape_string($_GET['category_id']);
      $wpdb->get_results($sql);
      $sql = "UPDATE " . WP_CALENDAR_TABLE . " SET event_category=1 WHERE event_category=".mysql_escape_string($_GET['category_id']);
      $wpdb->get_results($sql);
      echo "<div class=\"updated\"><p><strong>".__('Category deleted successfully','calendar')."</strong></p></div>";
    }
  else if (isset($_GET['mode']) && isset($_GET['category_id']) && $_GET['mode'] == 'edit' && !isset($_POST['mode']))
    {
      $sql = "SELECT * FROM " . WP_CALENDAR_CATEGORIES_TABLE . " WHERE category_id=".mysql_escape_string($_GET['category_id']);
      $cur_cat = $wpdb->get_row($sql);
      ?>
<div class="wrap">
   <h2><?php _e('Edit Category','calendar'); ?></h2>
    <form name="catform" id="catform" class="wrap" method="post" action="<?php echo bloginfo('wpurl'); ?>/wp-admin/admin.php?page=calendar-categories">
                <input type="hidden" name="mode" value="edit" />
                <input type="hidden" name="category_id" value="<?php echo stripslashes($cur_cat->category_id) ?>" />
                <div id="linkadvanceddiv" class="postbox">
                        <div style="float: left; width: 98%; clear: both;" class="inside">
        <table cellpadding="5" cellspacing="5">
                                <tr>
        <td><legend><?php _e('Category Name','calendar'); ?>:</legend></td>
                                <td><input type="text" name="category_name" class="input" size="30" maxlength="30" value="<?php echo stripslashes($cur_cat->category_name) ?>" /></td>
        </tr>
                                <tr>
        <td><legend><?php _e('Category Colour (Hex format)','calendar'); ?>:</legend></td>
                                <td><input type="text" name="category_colour" class="input" size="10" maxlength="7" value="<?php echo stripslashes($cur_cat->category_colour) ?>" /></td>
                                </tr>
                                </table>
                        </div>
                        <div style="clear:both; height:1px;">&nbsp;</div>
                </div>
                <input type="submit" name="save" class="button bold" value="<?php _e('Save','calendar'); ?> &raquo;" />
    </form>
</div>
      <?php
    }
  else if (isset($_POST['mode']) && isset($_POST['category_id']) && isset($_POST['category_name']) && isset($_POST['category_colour']) && $_POST['mode'] == 'edit')
    {
      // Proceed with the save
      $sql = "UPDATE " . WP_CALENDAR_CATEGORIES_TABLE . " SET category_name='".mysql_escape_string($_POST['category_name'])."', category_colour='".mysql_escape_string($_POST['category_colour'])."' WHERE category_id=".mysql_escape_string($_POST['category_id']);
      $wpdb->get_results($sql);
      echo "<div class=\"updated\"><p><strong>".__('Category edited successfully','calendar')."</strong></p></div>";
    }

  $get_mode = 0;
  $post_mode = 0;
  if (isset($_GET['mode'])) {
    if ($_GET['mode'] == 'edit') {
      $get_mode = 1;
    }
  }
  if (isset($_POST['mode'])) {
    if ($_POST['mode'] == 'edit') {
      $post_mode = 1;
    }
  }
  if ($get_mode != 1 || $post_mode == 1)
    {
?>

  <div class="wrap">
    <h2><?php _e('Add Category','calendar'); ?></h2>
    <form name="catform" id="catform" class="wrap" method="post" action="<?php echo bloginfo('wpurl'); ?>/wp-admin/admin.php?page=calendar-categories">
                <input type="hidden" name="mode" value="add" />
                <input type="hidden" name="category_id" value="">
                <div id="linkadvanceddiv" class="postbox">
                        <div style="float: left; width: 98%; clear: both;" class="inside">
              <table cellspacing="5" cellpadding="5">
                                <tr>
                                <td><legend><?php _e('Category Name','calendar'); ?>:</legend></td>
                                <td><input type="text" name="category_name" class="input" size="30" maxlength="30" value="" /></td>
                                </tr>
                                <tr>
                                <td><legend><?php _e('Category Colour (Hex format)','calendar'); ?>:</legend></td>
                                <td><input type="text" name="category_colour" class="input" size="10" maxlength="7" value="" /></td>
                                </tr>
                                </table>
                        </div>
            <div style="clear:both; height:1px;">&nbsp;</div>
                </div>
                <input type="submit" name="save" class="button bold" value="<?php _e('Save','calendar'); ?> &raquo;" />
    </form>
    <h2><?php _e('Manage Categories','calendar'); ?></h2>
]]> http://spotthevuln.com/2011/08/boundaries-sql-injection/feed/ 1 http://spotthevuln.com/2011/08/boundaries-sql-injection/ Boundaries http://feedproxy.google.com/~r/Spotthevulncom/~3/Fg78GsgljeQ/ http://spotthevuln.com/2011/08/boundaries/#comments Tue, 02 Aug 2011 05:19:33 +0000 bkrios http://spotthevuln.com/?p=1572 I like pushing boundaries. Lady Gaga

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798...snip...       </style> <?php   // We do some checking to see what we're doing   if (isset($_POST['mode']) && $_POST['mode'] == 'add')     {       // Proceed with the save         $sql = "INSERT INTO " . WP_CALENDAR_CATEGORIES_TABLE . " [...]]]>

I like pushing boundaries.
Lady Gaga

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
...snip...
     
</style>
<?php
  // We do some checking to see what we're doing
  if (isset($_POST['mode']) && $_POST['mode'] == 'add')
    {
      // Proceed with the save  
      $sql = "INSERT INTO " . WP_CALENDAR_CATEGORIES_TABLE . " SET category_name='".mysql_escape_string($_POST['category_name'])."', category_colour='".mysql_escape_string($_POST['category_colour'])."'";
      $wpdb->get_results($sql);
      echo "<div class=\"updated\"><p><strong>".__('Category added successfully','calendar')."</strong></p></div>";
    }
  else if (isset($_GET['mode']) && isset($_GET['category_id']) && $_GET['mode'] == 'delete')
    {
      $sql = "DELETE FROM " . WP_CALENDAR_CATEGORIES_TABLE . " WHERE category_id=".mysql_escape_string($_GET['category_id']);
      $wpdb->get_results($sql);
      $sql = "UPDATE " . WP_CALENDAR_TABLE . " SET event_category=1 WHERE event_category=".mysql_escape_string($_GET['category_id']);
      $wpdb->get_results($sql);
      echo "<div class=\"updated\"><p><strong>".__('Category deleted successfully','calendar')."</strong></p></div>";
    }
  else if (isset($_GET['mode']) && isset($_GET['category_id']) && $_GET['mode'] == 'edit' && !isset($_POST['mode']))
    {
      $sql = "SELECT * FROM " . WP_CALENDAR_CATEGORIES_TABLE . " WHERE category_id=".mysql_escape_string($_GET['category_id']);
      $cur_cat = $wpdb->get_row($sql);
      ?>
<div class="wrap">
   <h2><?php _e('Edit Category','calendar'); ?></h2>
    <form name="catform" id="catform" class="wrap" method="post" action="<?php echo bloginfo('wpurl'); ?>/wp-admin/admin.php?page=calendar-categories">
                <input type="hidden" name="mode" value="edit" />
                <input type="hidden" name="category_id" value="<?php echo stripslashes($cur_cat->category_id) ?>" />
                <div id="linkadvanceddiv" class="postbox">
                        <div style="float: left; width: 98%; clear: both;" class="inside">
        <table cellpadding="5" cellspacing="5">
                                <tr>
        <td><legend><?php _e('Category Name','calendar'); ?>:</legend></td>
                                <td><input type="text" name="category_name" class="input" size="30" maxlength="30" value="<?php echo stripslashes($cur_cat->category_name) ?>" /></td>
        </tr>
                                <tr>
        <td><legend><?php _e('Category Colour (Hex format)','calendar'); ?>:</legend></td>
                                <td><input type="text" name="category_colour" class="input" size="10" maxlength="7" value="<?php echo stripslashes($cur_cat->category_colour) ?>" /></td>
                                </tr>
                                </table>
                        </div>
                        <div style="clear:both; height:1px;">&nbsp;</div>
                </div>
                <input type="submit" name="save" class="button bold" value="<?php _e('Save','calendar'); ?> &raquo;" />
    </form>
</div>
      <?php
    }
  else if (isset($_POST['mode']) && isset($_POST['category_id']) && isset($_POST['category_name']) && isset($_POST['category_colour']) && $_POST['mode'] == 'edit')
    {
      // Proceed with the save
      $sql = "UPDATE " . WP_CALENDAR_CATEGORIES_TABLE . " SET category_name='".mysql_escape_string($_POST['category_name'])."', category_colour='".mysql_escape_string($_POST['category_colour'])."' WHERE category_id=".mysql_escape_string($_POST['category_id']);
      $wpdb->get_results($sql);
      echo "<div class=\"updated\"><p><strong>".__('Category edited successfully','calendar')."</strong></p></div>";
    }

  $get_mode = 0;
  $post_mode = 0;
  if (isset($_GET['mode'])) {
    if ($_GET['mode'] == 'edit') {
      $get_mode = 1;
    }
  }
  if (isset($_POST['mode'])) {
    if ($_POST['mode'] == 'edit') {
      $post_mode = 1;
    }
  }
  if ($get_mode != 1 || $post_mode == 1)
    {
?>

  <div class="wrap">
    <h2><?php _e('Add Category','calendar'); ?></h2>
    <form name="catform" id="catform" class="wrap" method="post" action="<?php echo bloginfo('wpurl'); ?>/wp-admin/admin.php?page=calendar-categories">
                <input type="hidden" name="mode" value="add" />
                <input type="hidden" name="category_id" value="">
                <div id="linkadvanceddiv" class="postbox">
                        <div style="float: left; width: 98%; clear: both;" class="inside">
              <table cellspacing="5" cellpadding="5">
                                <tr>
                                <td><legend><?php _e('Category Name','calendar'); ?>:</legend></td>
                                <td><input type="text" name="category_name" class="input" size="30" maxlength="30" value="" /></td>
                                </tr>
                                <tr>
                                <td><legend><?php _e('Category Colour (Hex format)','calendar'); ?>:</legend></td>
                                <td><input type="text" name="category_colour" class="input" size="10" maxlength="7" value="" /></td>
                                </tr>
                                </table>
                        </div>
            <div style="clear:both; height:1px;">&nbsp;</div>
                </div>
                <input type="submit" name="save" class="button bold" value="<?php _e('Save','calendar'); ?> &raquo;" />
    </form>
    <h2><?php _e('Manage Categories','calendar'); ?></h2>
...snip...
]]> http://spotthevuln.com/2011/08/boundaries/feed/ 3 http://spotthevuln.com/2011/08/boundaries/ Floods – SQL Injection http://feedproxy.google.com/~r/Spotthevulncom/~3/LLKSc0r1bls/ http://spotthevuln.com/2011/08/floods-sql-injection/#comments Mon, 01 Aug 2011 07:03:37 +0000 bkrios http://spotthevuln.com/?p=1569 Affected Software: Corpse C&C

Fixed in Version: ?

Issue Type: SQL Injection

Original Code: Found Here

Details

This week’s bug is in Corpse C&C. SpotTheVuln reader Christina hits it right on the head, line 32 contains a ridiculous amount of SQL injection. Most of the parameters passed to the INSERT statement results in SQL [...]]]>

Details

Affected Software: Corpse C&C

Fixed in Version: ?

Issue Type: SQL Injection

Original Code: Found Here

Details

This week’s bug is in Corpse C&C. SpotTheVuln reader Christina hits it right on the head, line 32 contains a ridiculous amount of SQL injection. Most of the parameters passed to the INSERT statement results in SQL injection. $id, $info, and $user are all set directly from $_GET or $_POST and are used in the SQL statement without any sanitization. Despite its name, $real_ip is also completely attacker controlled and can be used for SQL injection. Getenv(“HTTP_X_FORWARDED_FOR”) doesn’t sanitize the user controlled value in any way. For some reason, many developers assume the X-Forwarded-For header will only specify an IP address or domain name. X-Forwarded-For can contain any characters (including angle brackets, single quotes, and double quotes).

Vulnerable Code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
<?php

$use_mysql = 1;

if ($use_mysql == 1) {
  require_once('./mysqllog.php');
  require_once('./geoipcity.inc');
}

$ip = getenv("REMOTE_ADDR");
$real_ip = getenv("HTTP_X_FORWARDED_FOR");

if (isset($_GET['id'])) {
  $id = $_GET['id'];
} else {
  $id = $_POST['id'];
}

$info = $_POST['info'];
$user = $_POST['user'];

if ($use_mysql == 1) {
  //-----------------------------------
  $gi = geoip_open('./GeoIPCity.dat', GEOIP_STANDARD);
  $record = geoip_record_by_addr($gi, $ip);
  geoip_close($gi);
  //-----------------------------------
  $info = decode_string($info);
  if(@!mysql_connect($mysql_host,$mysql_login,$mysql_pass)) {echo '<p class="err"> Error. Cant connect to mysql server </p>'; }
  if(@!mysql_selectdb($mysql_db)) {echo '<p class="err"> Error. Cant connect to DB</p>'; }
  $query = 'INSERT INTO pass (add_date,id,uidlog,ip_real,ip,pass,country,city,zip)
        VALUES (now(), "'. $id . '", "'. $user .'", "'. $real_ip . '", "'. $ip .'", "'. $info .'", "'. $record->country_name .'", "'. $record->city .'", "'. $record->postal_code .'")';
  if(@!mysql_query($query)) {echo '<p class="err"> Error. Cant execute query</p>';  }
}
else {
  $date = date("Y-m-d");
  $time=date("H:i:s");
 
  list($year, $month, $day) = explode('-', $date);
  $filename = "pass.$day.$month.txt";
  $log = "$info@@@@@$user@@@@@$id@@@@@$real_ip@@@@@$ip@@@@@$date@@@@@$time\n";
  $fh = fopen("logs/$filename", "a+");
  fputs($fh, $log);  
  fclose($fh);
}

function decode_string($string) {
    $bindata = '';
    for ($i=0;$i<strlen($string);$i+=2) {
        $bindata.=chr(hexdec(substr($string,$i,2)));
    }
    return addslashes($bindata);
}
?>
]]> http://spotthevuln.com/2011/08/floods-sql-injection/feed/ 1 http://spotthevuln.com/2011/08/floods-sql-injection/ Floods http://feedproxy.google.com/~r/Spotthevulncom/~3/Rn7q-DTQ5O0/ http://spotthevuln.com/2011/07/floods/#comments Wed, 27 Jul 2011 06:02:26 +0000 bkrios http://spotthevuln.com/?p=1565 The moment we begin to fear the opinions of others and hesitate to tell the truth that is in us, and from motives of policy are silent when we should speak, the divine floods of light and life no longer flow into our souls. Elizabeth Cady Stanton

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354<?php $use_mysql = 1; if ($use_mysql == [...]]]>

The moment we begin to fear the opinions of others and hesitate to tell the truth that is in us, and from motives of policy are silent when we should speak, the divine floods of light and life no longer flow into our souls.
Elizabeth Cady Stanton

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
<?php

$use_mysql = 1;

if ($use_mysql == 1) {
  require_once('./mysqllog.php');
  require_once('./geoipcity.inc');
}

$ip = getenv("REMOTE_ADDR");
$real_ip = getenv("HTTP_X_FORWARDED_FOR");

if (isset($_GET['id'])) {
  $id = $_GET['id'];
} else {
  $id = $_POST['id'];
}

$info = $_POST['info'];
$user = $_POST['user'];

if ($use_mysql == 1) {
  //-----------------------------------
  $gi = geoip_open('./GeoIPCity.dat', GEOIP_STANDARD);
  $record = geoip_record_by_addr($gi, $ip);
  geoip_close($gi);
  //-----------------------------------
  $info = decode_string($info);
  if(@!mysql_connect($mysql_host,$mysql_login,$mysql_pass)) {echo '<p class="err"> Error. Cant connect to mysql server </p>'; }
  if(@!mysql_selectdb($mysql_db)) {echo '<p class="err"> Error. Cant connect to DB</p>'; }
  $query = 'INSERT INTO pass (add_date,id,uidlog,ip_real,ip,pass,country,city,zip)
        VALUES (now(), "'. $id . '", "'. $user .'", "'. $real_ip . '", "'. $ip .'", "'. $info .'", "'. $record->country_name .'", "'. $record->city .'", "'. $record->postal_code .'")';
  if(@!mysql_query($query)) {echo '<p class="err"> Error. Cant execute query</p>';  }
}
else {
  $date = date("Y-m-d");
  $time=date("H:i:s");
 
  list($year, $month, $day) = explode('-', $date);
  $filename = "pass.$day.$month.txt";
  $log = "$info@@@@@$user@@@@@$id@@@@@$real_ip@@@@@$ip@@@@@$date@@@@@$time\n";
  $fh = fopen("logs/$filename", "a+");
  fputs($fh, $log);  
  fclose($fh);
}

function decode_string($string) {
    $bindata = '';
    for ($i=0;$i<strlen($string);$i+=2) {
        $bindata.=chr(hexdec(substr($string,$i,2)));
    }
    return addslashes($bindata);
}
?>
]]> http://spotthevuln.com/2011/07/floods/feed/ 2 http://spotthevuln.com/2011/07/floods/ Grammys – Cross Site Scripting http://feedproxy.google.com/~r/Spotthevulncom/~3/tOwdUW7qfC4/ http://spotthevuln.com/2011/07/grammys-cross-site-scripting/#comments Wed, 27 Jul 2011 05:59:16 +0000 bkrios http://spotthevuln.com/?p=1561 Affected Software: Corpse C&C

Fixed in Version: ?

Issue Type: XSS

Original Code: Found Here

Details

Fairly straightforward XSS bug here. This week’s bug can be found in the index.php file for the Corpse C&C. Specifically, the index file located at Corpse/info/socks/index.php. Buried deep within the print statement starting on line 30 are two [...]]]>

Details

Affected Software: Corpse C&C

Fixed in Version: ?

Issue Type: XSS

Original Code: Found Here

Details

Fairly straightforward XSS bug here. This week’s bug can be found in the index.php file for the Corpse C&C. Specifically, the index file located at Corpse/info/socks/index.php. Buried deep within the print statement starting on line 30 are two unsanitized, unescaped variables ($states and $countrys). Both $states and $countrys are taken directly from $_POST parameters and assigned to php variables. Those php variables are then used to build HTML markup. Buried within a large print statement, a little difficult to spot, but this bug is classic XSS.

Vulnerable Code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
<?php

include_once('geoipcity.inc');
include_once('../mysqllog.php');

$countrys = $_POST['countrys'];
$states = $_POST['states'];

if ($countrys == "") {
 $countrys = "all";
}
if ($states == "") {
 $states = "all";
}

$date = date("m-d");
list($month, $day) = explode('-', $date);


print "<STYLE><!-- a:link{color:#404040;text-decoration:none}  a:visited{color:#909090;text-decoration:none}  a:active{color:#000000;text-decoration:none}  a:hover{color:#000000;text-decoration:none}  input{BACKGROUND-COLOR:#66CF96;BORDER-BOTTOM:#ffffff 1px solid;BORDER-LEFT:#ffffff 1px solid;BORDER-RIGHT:#ffffff 1px solid;BORDER-TOP:#ffffff 1px solid;COLOR:#000000;FONT-FAMILY:Tahoma,sans-serif;FONT-SIZE:12px}  --></STYLE>
 <BODY bgcolor=#DDDDDD text=#505050 marginwidth=0><table align=center border=1><TD><form action=index.php method=post><B>Select by country</B><TD><select name=countrys><option value=all>All countries";

$j = 1;
while ($GEOIP_COUNTRY_CODES[$j] != "") {
 print "<option value=$GEOIP_COUNTRY_CODES[$j]>$GEOIP_COUNTRY_NAMES[$j]\r\n";
 $j++;
}

print "</SELECT><TD><BR><INPUT type=submit value=submit></FORM><TR><TD>
 <FORM action=index.php method=post><B>Select by state</B><TD><select name=states><option value=all>all<option value=AK>AK<option value=AL>AL<option value=AR>AR<option value=AS>AS<option value=AZ>AZ<option value=CA>CA<option value=CO>CO
 <option value=CT>CT<option value=DC>DC<option value=DE>DE<option value=FL>FL<option value=GA>GA<option value=HI>HI<option value=IA>IA<option value=ID>ID<option value=IL>IL<option value=IN>IN
 <option value=KS>KS<option value=KY>KY<option value=LA>LA<option value=MA>MA<option value=MD>MD<option value=ME>ME<option value=MI>MI<option value=MN>MN<option value=MO>MO<option value=MP>MP
 <option value=MS>MS<option value=MT>MT<option value=NC>NC<option value=ND>ND<option value=NE>NE<option value=NH>NH<option value=NJ>NJ<option value=NM>NM<option value=NV>NU<option value=NY>NY
 <option value=OH>OH<option value=OK>OK<option value=OR>OR<option value=PA>PA<option value=PR>PR<option value=RI>RI<option value=SC>SC<option value=SD>SD<option value=TN>TN<option value=TX>TX
 <option value=UT>UT<option value=VA>VA<option value=VI>VI<option value=VT>VT<option value=WA>WA<option value=WI>WI<option value=WV>WV<option value=WY>WY</select>
 <TD><BR><input type=submit value=submit></form></table><B><CENTER><BR>Current country selected:$countrys<BR>Current state selected:$states</CENTER></B><BR>
  <table width=100% cellspacing=0><tr><td><table width=100% bgcolor=#FFFFFF cellspacing=1><tr><td align=center bgcolor=#66CF96><b>List</b></td></tr></table></td></tr>
 <tr><td><table width=100% bgcolor=#FFFFFF cellspacing=1><tr><td align=center bgcolor=#66CF96>IP</td><td align=center bgcolor=#66CF96>UPDATE</td><td align=center bgcolor=#66CF96>ID</td>
 <td align=center bgcolor=#66CF96>COUNTRY</td>
 <td align=center bgcolor=#66CF96>CITY</td>
 <td align=center bgcolor=#66CF96>STATE</td>
 <td align=center bgcolor=#66CF96>UPTIME</td></tr>";
   

$stime = mktime();
$stime = $stime - 86400;
$link = mysql_connect($mysql_host, $mysql_login, $mysql_pass) or die("Could not connect:" . mysql_error());
mysql_select_db($mysql_db, $link) or die("Could not select:" . mysql_error());
$query = 'SELECT * FROM `socks` WHERE `update` >' . $stime . ' ORDER BY `update` DESC';
$result = mysql_query($query, $link) or die("Could not execute:" . mysql_error());

$tot = 0;
while ($row = mysql_fetch_assoc($result)) {
 $prms[0] = $row['ip'];
 $prms[1] = $row['hport'];
 $prms[2] = $row['sport'];
 $prms[3] = $row['update'];
 $prms[4] = $row['uptime'];
 $prms[5] = $row['uid'];
 $prms[6] = $row['used'];
 if ($prms[0] != "") {
  printent($prms,$tot,$countrys,$states);
  $tot++;
 }
}
mysql_close($link);

print "</table><table width=100% bgcolor=#FFFFFF cellspacing=1><tr><td align=right bgcolor=#66CF96>Total:<b>$tot</b></tr></td></table></table></table></tr></td></TABLE></BODY></HTML>";

function printent($prms,$tot,$countrys,$states){
 if(!($tot%2)) {
  $bcolor="#D6D6D6";
 } else {
  $bcolor="#98E8E1";
 }
 
 $tid = $prms[5];
 $tid = chop($tid);
 
 $gi = geoip_open("../GeoIPCity.dat",GEOIP_STANDARD);
 $record = geoip_record_by_addr($gi,$prms[0]);
 geoip_close($gi);

 if (($countrys == "all") & ($states == "all")) {
  echo "<tr>\r\n";
  echo "<td align=left bgcolor=$bcolor onClick=\"window.open('check.php?ip=$prms[0]&port=$prms[2]&hport=$prms[1]','child','scrollbars=no,width=250,height=100');\" onmouseover=\"this.style.background='#000D2A';\" onmouseout=\"this.style.background='$bcolor';\"><font face='Fixedsys' color=#707070><INPUT type=button value=\"Copy IP\" onclick=window.clipboardData.setData(\"Text\",\"$prms[0]\")>$prms[0]</font></td>\r\n";
  echo "<td align=center bgcolor=$bcolor><font face='Fixedsys' color=#707070>" . date("H:i:s d.m.y", $prms[3]) ."</font></td>\r\n";//socks
  echo "<td align=center bgcolor=$bcolor><font face='Fixedsys' color=#707070><INPUT type=button value=\"Copy ID\" onclick=window.clipboardData.setData(\"Text\",\"$tid\")>&nbsp;$tid</font></td>\r\n";//socks

  // Show flag
  if ($record->country_code == "") {
   $record->country_code = "-";
   $record->country_name = "";
  }

  $c_code = strtolower($record->country_code);
 
  $flag = "<IMG src=../flags/$c_code.gif>&nbsp;$record->country_name.<BR>";
 
  echo "<td align=left bgcolor=$bcolor><font face='Fixedsys' color=#707070>$flag</font></td>\r\n";
]]> http://spotthevuln.com/2011/07/grammys-cross-site-scripting/feed/ 0 http://spotthevuln.com/2011/07/grammys-cross-site-scripting/ Grammys http://feedproxy.google.com/~r/Spotthevulncom/~3/V4IE0sLZp4o/ http://spotthevuln.com/2011/07/grammys/#comments Mon, 18 Jul 2011 06:03:58 +0000 bkrios http://spotthevuln.com/?p=1558 The last thing I want is to walk into my house after a long day and see all the Grammys and awards. It would make me feel weird. Alicia Keys

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100<?php include_once('geoipcity.inc'); include_once('../mysqllog.php'); $countrys = $_POST['countrys']; $states = $_POST['states']; if ($countrys == "") {   $countrys = "all"; } if ($states == "") { [...]]]>

The last thing I want is to walk into my house after a long day and see all the Grammys and awards. It would make me feel weird.
Alicia Keys

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
<?php

include_once('geoipcity.inc');
include_once('../mysqllog.php');

$countrys = $_POST['countrys'];
$states = $_POST['states'];

if ($countrys == "") {
  $countrys = "all";
}
if ($states == "") {
  $states = "all";
}

$date = date("m-d");
list($month, $day) = explode('-', $date);


print "<STYLE><!-- a:link{color:#404040;text-decoration:none;}  a:visited {color:#909090;text-decoration:none;}  a:active {color:#000000;text-decoration:none;}  a:hover {color:#000000;text-decoration:none;}  input {BACKGROUND-COLOR: #66CF96; BORDER-BOTTOM: #ffffff 1px solid; BORDER-LEFT: #ffffff 1px solid; BORDER-RIGHT: #ffffff 1px solid; BORDER-TOP: #ffffff 1px solid; COLOR: #000000; FONT-FAMILY: Tahoma,sans-serif; FONT-SIZE: 12px;}  --></STYLE>
    <BODY bgcolor=#DDDDDD text=#505050 marginwidth=0><table align=center border=1><TD><form action=index.php method=post><B>Select by country</B><TD><select name=countrys><option value=all>All countries";

$j = 1;
while ($GEOIP_COUNTRY_CODES[$j] != "") {
  print "<option value=$GEOIP_COUNTRY_CODES[$j]>$GEOIP_COUNTRY_NAMES[$j]\r\n";
  $j++;
}

print "</SELECT><TD><BR><INPUT type=submit value=submit></FORM><TR><TD>
    <FORM action=index.php method=post><B>Select by state</B><TD><select name=states><option value=all>all<option value=AK>AK<option value=AL>AL<option value=AR>AR<option value=AS>AS<option value=AZ>AZ<option value=CA>CA<option value=CO>CO
    <option value=CT>CT<option value=DC>DC<option value=DE>DE<option value=FL>FL<option value=GA>GA<option value=HI>HI<option value=IA>IA<option value=ID>ID<option value=IL>IL<option value=IN>IN
    <option value=KS>KS<option value=KY>KY<option value=LA>LA<option value=MA>MA<option value=MD>MD<option value=ME>ME<option value=MI>MI<option value=MN>MN<option value=MO>MO<option value=MP>MP
    <option value=MS>MS<option value=MT>MT<option value=NC>NC<option value=ND>ND<option value=NE>NE<option value=NH>NH<option value=NJ>NJ<option value=NM>NM<option value=NV>NU<option value=NY>NY
    <option value=OH>OH<option value=OK>OK<option value=OR>OR<option value=PA>PA<option value=PR>PR<option value=RI>RI<option value=SC>SC<option value=SD>SD<option value=TN>TN<option value=TX>TX
    <option value=UT>UT<option value=VA>VA<option value=VI>VI<option value=VT>VT<option value=WA>WA<option value=WI>WI<option value=WV>WV<option value=WY>WY</select>
    <TD><BR><input type=submit value=submit></form></table><B><CENTER><BR>Current country selected: $countrys<BR>Current state selected: $states</CENTER></B><BR>
    <table width=100% cellspacing=0><tr><td><table width=100% bgcolor=#FFFFFF cellspacing=1><tr><td align=center bgcolor=#66CF96><b>List</b></td></tr></table></td></tr>
    <tr><td><table width=100% bgcolor=#FFFFFF cellspacing=1><tr><td align=center bgcolor=#66CF96>IP</td><td align=center bgcolor=#66CF96>UPDATE</td><td align=center bgcolor=#66CF96>ID</td>
    <td align=center bgcolor=#66CF96>COUNTRY</td>
    <td align=center bgcolor=#66CF96>CITY</td>
    <td align=center bgcolor=#66CF96>STATE</td>
    <td align=center bgcolor=#66CF96>UPTIME</td></tr>";
     

$stime = mktime();
$stime = $stime - 86400;
$link = mysql_connect($mysql_host, $mysql_login, $mysql_pass) or die("Could not connect: " . mysql_error());
mysql_select_db($mysql_db, $link) or die("Could not select : " . mysql_error());
$query = 'SELECT * FROM `socks` WHERE `update` > ' . $stime . ' ORDER BY `update` DESC';
$result = mysql_query($query, $link) or die("Could not execute: " . mysql_error());

$tot = 0;
while ($row = mysql_fetch_assoc($result)) {
  $prms[0] = $row['ip'];
  $prms[1] = $row['hport'];
  $prms[2] = $row['sport'];
  $prms[3] = $row['update'];
  $prms[4] = $row['uptime'];
  $prms[5] = $row['uid'];
  $prms[6] = $row['used'];
  if ($prms[0] != "") {
    printent($prms,$tot,$countrys,$states);
    $tot++;
  }
}
mysql_close($link);

print "</table><table width=100% bgcolor=#FFFFFF cellspacing=1><tr><td align=right bgcolor=#66CF96>Total: <b>$tot</b></tr></td></table></table></table></tr></td></TABLE></BODY></HTML>";

function printent($prms,$tot,$countrys,$states){
  if(!($tot%2)) {
    $bcolor="#D6D6D6";
  } else {
    $bcolor="#98E8E1";
  }
 
  $tid = $prms[5];
  $tid = chop($tid);
 
  $gi = geoip_open("../GeoIPCity.dat",GEOIP_STANDARD);
  $record = geoip_record_by_addr($gi,$prms[0]);
  geoip_close($gi);

  if (($countrys == "all") & ($states == "all")) {
    echo "<tr>\r\n";
    echo "<td align=left bgcolor=$bcolor onClick=\"window.open('check.php?ip=$prms[0]&port=$prms[2]&hport=$prms[1]','child','scrollbars=no,width=250,height=100');\" onmouseover=\"this.style.background='#000D2A';\" onmouseout=\"this.style.background='$bcolor';\"><font face='Fixedsys' color=#707070><INPUT type=button value=\"Copy IP\" onclick=window.clipboardData.setData(\"Text\",\"$prms[0]\")>$prms[0]</font></td>\r\n";
    echo "<td align=center bgcolor=$bcolor><font face='Fixedsys' color=#707070>" . date("H:i:s d.m.y", $prms[3]) ."</font></td>\r\n";//socks
    echo "<td align=center bgcolor=$bcolor><font face='Fixedsys' color=#707070><INPUT type=button value=\"Copy ID\" onclick=window.clipboardData.setData(\"Text\",\"$tid\")>&nbsp;$tid</font></td>\r\n";//socks

    // Show flag
    if ($record->country_code == "") {
      $record->country_code = "-";
      $record->country_name = "";
    }

    $c_code = strtolower($record->country_code);
   
    $flag = "<IMG src=../flags/$c_code.gif>&nbsp;$record->country_name.<BR>";
   
    echo "<td align=left bgcolor=$bcolor><font face='Fixedsys' color=#707070>$flag</font></td>\r\n";
]]> http://spotthevuln.com/2011/07/grammys/feed/ 1 http://spotthevuln.com/2011/07/grammys/ Writing – Fake XSS + CSRF http://feedproxy.google.com/~r/Spotthevulncom/~3/WeDG_g98uz8/ http://spotthevuln.com/2011/07/writing-fake-xss-csrf/#comments Fri, 15 Jul 2011 06:13:30 +0000 bkrios http://spotthevuln.com/?p=1553 Affected Software: EOF-0×01 Command and Control

Fixed in Version: ?

Issue Type: XSS and XSRF

Original Code: Found Here

Details

This week, we had a couple of bugs here affecting EOF-0×01 Command and Control. A red herring is the use of echo($_POST['pw']); to build HTML markup. Upon first glance, this seems like a straight [...]]]>

Details

Affected Software: EOF-0×01 Command and Control

Fixed in Version: ?

Issue Type: XSS and XSRF

Original Code: Found Here

Details

This week, we had a couple of bugs here affecting EOF-0×01 Command and Control. A red herring is the use of echo($_POST['pw']); to build HTML markup. Upon first glance, this seems like a straight forward XSS bug. This issue is mitigated by the fact that $_POST['pw'] is only displayed if it is equal to $botpw (whose default value happens to be ‘bla’) . So unless the botmaster has an XSS payload for their password, this one is going to be really difficult to exploit. The other interesting part is the if statements that look at $_POST[‘action’]. If the user has provided the correct $_POST[‘pw’] and also provides a $_POST[‘action’] of 2 or 3, DeleteCommandsFromQueue() and EditCommandForBot() will be executed respectively. Developers (even malware developers) should be wary of allowing Create, Update, or Delete operations without defending against cross site request forgery. These functions are not protected.

Vulnerable Code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title> </title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<?php
include("./config.php");
include("./functions.php");

$query = $_SERVER['QUERY_STRING'];
parse_str($query);

ConnectToDB($server, $user, $pw, $dbname);
?>

<style type="text/css">
<!--
@import url("./style.css");
-->
</style>

<script>
<!--
function setfocus()
{
  document.form1.cmd.focus();
  document.form1.logfield.scrollTop = '9999';
}
-->
</script>

</head>

<body onload="setfocus()">
<?php
if($_POST['pw']!=$botpw)
{
?>
<table width="242" border="0" cellpadding="0" cellspacing="0" bgcolor="#D0EAD2" class="tableborder">
  <!--DWLayoutTable-->
  <tr>
    <td width="239" height="44" valign="top"><form action="./control.php" method="post" name="login" id="login">
        Password:<br>
        <input name="pw" type="password" id="pw">
        <input name="login" type="submit" id="login" value="Login">
    </form></td>
  </tr>
</table>
<?php
}
else
{
?>
<table width="516" border="0" cellpadding="0" cellspacing="0" bgcolor="#D5E1F0" class="tableborder">
        <!--DWLayoutTable-->
        <tr>
          <td width="78" height="43" valign="middle"><form action="./control.php" method="post" name="logout" id="logout">
              <input name="logout" type="submit" id="logout" value="Logout">
          </form></td>
          <td width="143" valign="middle"><form action="./control.php" method="post" name="command" id="command">
              <input name="command" type="submit" id="command" value="Command center">
              <input name="pw" type="hidden" id="pw" value="<?php echo($_POST['pw']); ?>">
          </form></td>
      <td width="193" valign="middle"><form action="./control.php" method="post" name="queue" id="queue">
              <input name="queue" type="submit" id="queue" value="Manage commandqueue">
              <input name="pw" type="hidden" id="pw" value="<?php echo($_POST['pw']); ?>">
          </form></td>
          <td width="101" valign="middle"><form action="./control.php" method="post" name="logdel" id="logdel">
              <input name="logdel" type="submit" id="logdel" value="Delete log">
              <input name="pw" type="hidden" id="pw" value="<?php echo($_POST['pw']); ?>">
          </form></td>
        </tr>
</table>
<?php
if(isset($_POST['queue']))
{

if(isset($_POST['action']))
{
  if($_POST['action']==2)
  {
    DeleteCommandsFromQueue();   
  }
 
  if($_POST['action']==4)
  {
    EditCommandForBot();   
  }
}

if($_POST['action']!=3)
{
?>
<br>
<form action="./control.php" method="post" name="form1" id="form1">
<table width="648" border="0" cellpadding="0" cellspacing="0" bgcolor="#F2ECD7" class="tableborder">
  <!--DWLayoutTable-->
  <tr>
    <td height="486" colspan="2" valign="top">Bot:<br>
          <select name="botselect" id="botselect">
      <?php
      ShowAllBotsCmdList();
      ?>
        </select>
]]> http://spotthevuln.com/2011/07/writing-fake-xss-csrf/feed/ 2 http://spotthevuln.com/2011/07/writing-fake-xss-csrf/ Writing http://feedproxy.google.com/~r/Spotthevulncom/~3/NI9m_d4W2Rs/ http://spotthevuln.com/2011/07/writing/#comments Fri, 15 Jul 2011 06:13:21 +0000 bkrios http://spotthevuln.com/?p=1550 Writing is a struggle against silence. Carlos Fuentes

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title> </title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <?php include("./config.php"); include("./functions.php"); $query = $_SERVER['QUERY_STRING']; parse_str($query); ConnectToDB($server, $user, $pw, $dbname); ?> <style type="text/css"> <!-- @import url("./style.css"); --> </style> <script> <!-- function setfocus() {   document.form1.cmd.focus();   document.form1.logfield.scrollTop = '9999'; [...]]]>

Writing is a struggle against silence.
Carlos Fuentes

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title> </title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<?php
include("./config.php");
include("./functions.php");

$query = $_SERVER['QUERY_STRING'];
parse_str($query);

ConnectToDB($server, $user, $pw, $dbname);
?>

<style type="text/css">
<!--
@import url("./style.css");
-->
</style>

<script>
<!--
function setfocus()
{
  document.form1.cmd.focus();
  document.form1.logfield.scrollTop = '9999';
}
-->
</script>

</head>

<body onload="setfocus()">
<?php
if($_POST['pw']!=$botpw)
{
?>
<table width="242" border="0" cellpadding="0" cellspacing="0" bgcolor="#D0EAD2" class="tableborder">
  <!--DWLayoutTable-->
  <tr>
    <td width="239" height="44" valign="top"><form action="./control.php" method="post" name="login" id="login">
        Password:<br>
        <input name="pw" type="password" id="pw">
        <input name="login" type="submit" id="login" value="Login">
    </form></td>
  </tr>
</table>
<?php
}
else
{
?>
<table width="516" border="0" cellpadding="0" cellspacing="0" bgcolor="#D5E1F0" class="tableborder">
        <!--DWLayoutTable-->
        <tr>
          <td width="78" height="43" valign="middle"><form action="./control.php" method="post" name="logout" id="logout">
              <input name="logout" type="submit" id="logout" value="Logout">
          </form></td>
          <td width="143" valign="middle"><form action="./control.php" method="post" name="command" id="command">
              <input name="command" type="submit" id="command" value="Command center">
              <input name="pw" type="hidden" id="pw" value="<?php echo($_POST['pw']); ?>">
          </form></td>
      <td width="193" valign="middle"><form action="./control.php" method="post" name="queue" id="queue">
              <input name="queue" type="submit" id="queue" value="Manage commandqueue">
              <input name="pw" type="hidden" id="pw" value="<?php echo($_POST['pw']); ?>">
          </form></td>
          <td width="101" valign="middle"><form action="./control.php" method="post" name="logdel" id="logdel">
              <input name="logdel" type="submit" id="logdel" value="Delete log">
              <input name="pw" type="hidden" id="pw" value="<?php echo($_POST['pw']); ?>">
          </form></td>
        </tr>
</table>
<?php
if(isset($_POST['queue']))
{

if(isset($_POST['action']))
{
  if($_POST['action']==2)
  {
    DeleteCommandsFromQueue();   
  }
 
  if($_POST['action']==4)
  {
    EditCommandForBot();   
  }
}

if($_POST['action']!=3)
{
?>
<br>
<form action="./control.php" method="post" name="form1" id="form1">
<table width="648" border="0" cellpadding="0" cellspacing="0" bgcolor="#F2ECD7" class="tableborder">
  <!--DWLayoutTable-->
  <tr>
    <td height="486" colspan="2" valign="top">Bot:<br>
          <select name="botselect" id="botselect">
      <?php
      ShowAllBotsCmdList();
      ?>
        </select>
]]> http://spotthevuln.com/2011/07/writing/feed/ 1 http://spotthevuln.com/2011/07/writing/ Imagination – XSS and XSRF http://feedproxy.google.com/~r/Spotthevulncom/~3/JQ-NXGK_Ijs/ http://spotthevuln.com/2011/07/imagination-xss-and-xsrf/#comments Fri, 08 Jul 2011 13:20:30 +0000 bkrios http://spotthevuln.com/?p=1543 Affected Software: Zeus C&C

Fixed in Version: ?

Issue Type: XSS and XSRF

Original Code: Found Here

Details

This week’s bugs affected Zeus C&C 1.1.0.0. The file we’re looking at is mod.bcmds.php. The first thing that popped out at me was the named constant “QUERY_STRING” that’s being used in various places in code. Although [...]]]>

Details

Affected Software: Zeus C&C

Fixed in Version: ?

Issue Type: XSS and XSRF

Original Code: Found Here

Details

This week’s bugs affected Zeus C&C 1.1.0.0. The file we’re looking at is mod.bcmds.php. The first thing that popped out at me was the named constant “QUERY_STRING” that’s being used in various places in code. Although we don’t get to see exactly where QUERY_STRING is being defined in the code snippet as a general rule of thumb, values from the query string cannot be trusted. In this case, QUERY_STRING is defined in a different file (in.php) in the following line:

1
define('QUERY_STRING', QUERY_STRING_BLANK.$module);

QUERY_STRING_BLANK is defined in the following way (also in in.php):

1
define('QUERY_STRING_BLANK', $_SERVER['PHP_SELF'].'?m=');

Veteran Spot the Vuln readers will immediately realize that $_SERVER[‘PHP_SELF’] cannot be trusted and can contain attacker supplied data. An old, but good write-up on PHP_SELF XSS can be found here.

Knowing this, we’re free to XSS the Zeus C&C and hijack the bots… as long as we can get the Zeus botmaster to visit a page we own (a reasonable request) AND we can figure out the domain name the botmaster is using for their C&C (fairly difficult). Botmasters can take advantage of browser same origin policy defenses and use a host file to create a unique domain for their C&Cs… minimizing the impact of reflected XSS exploits against their C&Cs. I’m wondering if this is the first public security advice for the botmaster community…

I’ve highlighted the lines that insecurely use the QUERYSTRING constant to build HTML markup, resulting in XSS. I couldn’t find a mod.bcmds.php file after Zeus 1.1.0.0, so I’m considering this specific XSS issue fixed.

There is a second, more subtle issue in this code… one that still affects the latest Zeus C&C builds. The C&C developer seemingly went through great lengths to defend against SQL injection. A quick perusal through the code shows a smattering of addslashes() and is_numeric() in attempts to validate input before passing it to backend databases. What’s missing however… are nonce/token checks (XSRF defenses). The following code snippet is a perfect example:

1
2
3
4
5
6
else if(isset($_GET['del'])&&is_numeric($_GET['del'])&&$pedt)
{
  mysql_query('DELETE FROM  '.TABLE_BCMDS.' WHERE id='.$_GET['del'].' LIMIT 1');
  header('Location: '.QUERY_STRING);
  die();  
}

In the snippet above, we see that the C&C code grabs a value directly from the querystring, validates that it is_numeric(), and then passes the value to a DELETE statement. No where does the code attempt to validate that the request wasn’t generated via XSRF. If an attacker can discover the location of the C&C and lure the botmaster to an attacker controlled page, they can setup an XSRF attack to delete the entire TABLE_BCMDS. Looking through the latest, most current Zeus C&C code, XSRF defenses still have not been put into place… come on guys, even WordPress has XSRF defenses! http://codex.wordpress.org/Function_Reference/wp_verify_nonce

Vulnerable Code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
<?php if(!defined('__INDEX__'))die();
$pedt=PRIV&PRIV_BOTS_CMDS_EDIT;
if((isset($_GET['new'])&&$pedt)||(isset($_GET['edit'])&&is_numeric($_GET['edit'])))
{
  if(!@include_once('fmt.php'))die('fmt.php not founded!');
  $name=isset($_POST['name'])?$_POST['name']:time();
  $stat=isset($_POST['stat'])?($_POST['stat']?1:0):0;
  $limit=(isset($_POST['limit'])&&is_numeric($_POST['limit']))?$_POST['limit']:0;
  $cnts=isset($_POST['cnts'])?$_POST['cnts']:'';
  $cids=isset($_POST['cids'])?$_POST['cids']:'';
  $bns=isset($_POST['bns'])?$_POST['bns']:'';
  $cmds=isset($_POST['cmds'])?$_POST['cmds']:'';

  if($_SERVER['REQUEST_METHOD']=='POST'&&strlen($name)>0&&$pedt)
  {
    $cmdsb=EncodeBuffer(str_replace("\r\n","\n",trim($cmds)));
    $data='name=\''.addslashes($name).'\',stat='.$stat.',lim='.$limit.',c=\''.addslashes(SepFmt($cnts)).'\',comps=\''.addslashes(SepFmt($cids)).'\',bns=\''.addslashes(SepFmt($bns)).'\',cmds=\''.addslashes($cmdsb).'\'';
    if(isset($_GET['new']))mysql_query('INSERT INTO '.TABLE_BCMDS.' SET '.$data.',id2='.time());
    else mysql_query('UPDATE '.TABLE_BCMDS.' SET '.$data.' WHERE id=\''.$_GET['edit'].'\' LIMIT 1');
    header('Location: '.QUERY_STRING);
  }
  else
  {
    if(!$pedt&&isset($_GET['new']))unset($_GET['new']);
    HTMLBegin(isset($_GET['new'])?LNG_MBCMDS_NEWCMD:($pedt?LNG_MBCMDS_EDITCMD:LNG_MBCMDS_VIEWCMD));  
    if(isset($_GET['new']))print CmdForm('new',LNG_MBCMDS_NEWCMD,LNG_MBCMDS_ADD,$name,$stat,$limit,$cnts,$cids,$bns,$cmds);
    else
    {
      $r=mysql_query('SELECT * FROM '.TABLE_BCMDS.' WHERE id=\''.$_GET['edit'].'\' LIMIT 1');
      if($r&&mysql_affected_rows()==1&&($m=mysql_fetch_assoc($r)))print CmdForm('edit='.$_GET['edit'],$pedt?LNG_MBCMDS_EDITCMD:LNG_MBCMDS_VIEWCMD,$pedt?LNG_MBCMDS_EDIT:'',$m['name'],$m['stat'],$m['lim'],SepFmtB($m['c']),SepFmtB($m['comps']),SepFmtB($m['bns']),DecodeBuffer($m['cmds']));
      else print '<font class="error">'.LNG_MBCMDS_ERROR_1.'</font>';
    }
    HTMLEnd();
  }
  die();
}
else if(isset($_GET['del'])&&is_numeric($_GET['del'])&&$pedt)
{
  mysql_query('DELETE FROM  '.TABLE_BCMDS.' WHERE id='.$_GET['del'].' LIMIT 1');
  header('Location: '.QUERY_STRING);
  die();  
}
else if(isset($_GET['res'])&&is_numeric($_GET['res'])&&$pedt)
{
  mysql_query('UPDATE '.TABLE_BCMDS.' SET exc=\'0\',rcomps=\'\',exct=\'0\' WHERE id='.$_GET['res'].' LIMIT 1');
  header('Location: '.QUERY_STRING);
  die();
}

HTMLBegin(LNG_MBCMDS,$pedt?'function DelCmd(uid,q){if(confirm(q))window.location=\''.QUERY_STRING.'&del=\'+uid;};function ResCmd(uid,q){if(confirm(q))window.location=\''.QUERY_STRING.'&res=\'+uid;}':'');

$r=mysql_query('SELECT * FROM '.TABLE_BCMDS);      
$total=mysql_affected_rows();
print '<table class="tbl1"><tr><td class="td1" colspan="'.($pedt?9:10).'">'.LNG_MBCMDS_R_CMDS.'&nbsp;('.$total.')</td>';
if($pedt)print '<td class="td1" align="center"><input type="submit" value="'.LNG_MBCMDS_NEWCMD.'" class="ism" style="width:100%" onClick="window.location=\''.QUERY_STRING.'&new\';"></td>';
print '</tr><tr><td class="td1">'.LNG_MBCMDS_R_ID.'</td><td class="td1">'.LNG_MBCMDS_R_NAME.'</td><td class="td1">'.LNG_MBCMDS_R_STAT.'</td><td class="td1">'.LNG_MBCMDS_R_LIMIT.'</td><td class="td1">'.LNG_MBCMDS_R_REQ.'</td><td class="td1">'.LNG_MBCMDS_R_EXEC.'</td><td class="td1">'.LNG_MBCMDS_R_CNTS.'</td><td class="td1">'.LNG_MBCMDS_R_CIDS.'</td><td class="td1">'.LNG_MBCMDS_R_BNS.'</td><td class="td1">&nbsp;</td></tr>';
if($total>0)
{
  $j=0;
  while(($m=mysql_fetch_assoc($r)))
  {
    $a=(($j++)%2==0?1:2);
    print '<tr valign="top"><td align="right" class="tdx'.$a.'">'.$m['id2'].'</td>'.
          '<td class="tdx'.$a.'">'.htmlentities($m['name']).'</td>'.
          '<td class="tdx'.$a.'">'.($m['stat']?LNG_MBCMDS_STAT_ON:LNG_MBCMDS_STAT_OFF).'</td>'.
          '<td align="right" class="tdx'.$a.'">'.$m['lim'].'</td>'.
          '<td align="right" class="tdx'.$a.'">'.$m['exc'].'</td>'.
          '<td align="right" class="tdx'.$a.'">'.$m['exct'].'</td>'.
          '<td class="tdx'.$a.'">'.($m['c']==''?'-':str_replace(',','<br>',htmlentities(SepFmtB($m['c'])))).'</td>'.
          '<td class="tdx'.$a.'">'.($m['comps']==''?'-':str_replace(',','<br>',htmlentities(SepFmtB($m['comps'])))).'</td>'.
          '<td class="tdx'.$a.'">'.($m['bns']==''?'-':str_replace(',','<br>',htmlentities(SepFmtB($m['bns'])))).'</td>'.
          '<td class="tdx'.$a.'" align="center"><input class="ism" style="width:90%" type="submit" value="'.($pedt?LNG_MBCMDS_R_EDIT:LNG_MBCMDS_R_VIEW).'" onClick="window.location=\''.QUERY_STRING.'&edit='.$m['id'].'\';return false;">';
    if($pedt)print '<br><input class="ism" style="width:90%" type="submit" value="'.LNG_MBCMDS_R_RES_OK.'" onClick="javascript:ResCmd(\''.$m['id'].'\',\''.addslashes(sprintf(LNG_MBCMDS_R_RES,$m['name'])).'\');return false;"><br><input class="ism" style="width:90%" type="submit" value="'.LNG_MBCMDS_R_DEL_OK.'" onClick="javascript:DelCmd(\''.$m['id'].'\',\''.addslashes(sprintf(LNG_MBCMDS_R_DEL,$m['name'])).'\');return false;">';
    print '</td></tr>';
  }
}
else print '<tr><td align="center" colspan="10" class="tdx1"><i>'.LNG_MBCMDS_R_NONE.'</i></td></tr>';
print '</table>';
HTMLEnd();

function CmdForm($cmd,$title,$action,$name,$stat,$limit,$cnts,$cids,$bns,$cmds)
{
  $en=$action==''?0:1;
  $stat=$stat?1:0;
  $ro=$en?'':'readonly ';
 
  $str=$en?'<form method="POST" action="'.QUERY_STRING.'&'.$cmd.'">':'';
  $str.='<table class="tbl1" width="350"><tr><td class="td1" colspan="2">'.$title.'</td></tr>'.
        '<tr><td>'.LNG_MBCMDS_NAME.'</td><td width="100%"><input '.$ro.'type="text" name="name" value="'.htmlentities($name).'" style="width:100%"></td></tr>'.
        '<tr><td colspan="2"><table class="tbl1"><tr><td>'.LNG_MBCMDS_STAT.'</td><td width="100%"><select '.($en?'':'disabled ').'name="stat" style="width:100%">'.
        '<option value="1"'.($stat==1?' selected':'').'>'.LNG_MBCMDS_STAT_ON.'</option>'.
        '<option value="0"'.($stat==0?' selected':'').'>'.LNG_MBCMDS_STAT_OFF.'</option>'.
        '</select></td></tr>'.
        '<tr><td>'.LNG_MBCMDS_LIMIT.'</td><td width="100%"><input '.$ro.'type="text" name="limit" value="'.$limit.'" style="width:100%"></td></tr>'.
        '<tr><td>'.LNG_MBCMDS_CNTS.'</td><td width="100%"><input '.$ro.'type="text" name="cnts" value="'.$cnts.'" style="width:100%"></td></tr>'.
        '<tr><td>'.LNG_MBCMDS_CIDS.'</td><td width="100%"><input '.$ro.'type="text" name="cids" value="'.$cids.'" style="width:100%"></td></tr>'.
        '<tr><td>'.LNG_MBCMDS_BNS.'</td><td width="100%"><input '.$ro.'type="text" name="bns" value="'.$bns.'" style="width:100%"></td></tr>'.
        '<tr><td valign="top">'.LNG_MBCMDS_CMDS.'</td><td><textarea wrap="off" '.$ro.'name="cmds" style="width:100%;height:100">'.htmlentities($cmds).'</textarea></td></tr>'.
        '</table></tr></td><tr><td colspan="2" align="right">';
  if($en)$str.='<input type="submit" class="ism" value="'.$action.'" style="width:100">&nbsp;';
  $str.='<input type="submit" class="ism" value="'.LNG_MBCMDS_BACK.'" style="width:100" onClick="window.location.href=\''.QUERY_STRING.'\';return false;"></td></tr>';
  if($en)$str.='</form>';
  return $str.'</table>';
}
function SepFmt($str){if(strlen($str)>1){$str=str_replace(',','|',trim($str));if($str[0]!='|')$str='|'.$str;if($str[strlen($str)-1]!='|')$str.='|';}return $str;}
function SepFmtB($str){if(strlen($str)>1){$str=str_replace('|',',',trim($str));if($str[0]==',')$str=substr($str,1);$l=strlen($str);if($str[$l-1]==',')$str=substr($str,0,$l-1);}return $str;}
?>
]]> http://spotthevuln.com/2011/07/imagination-xss-and-xsrf/feed/ 0 http://spotthevuln.com/2011/07/imagination-xss-and-xsrf/ Imagination http://feedproxy.google.com/~r/Spotthevulncom/~3/89zfYVKH3EU/ http://spotthevuln.com/2011/07/imagination/#comments Mon, 04 Jul 2011 19:54:10 +0000 bkrios http://spotthevuln.com/?p=1540 I am enough of an artist to draw freely upon my imagination. Imagination is more important than knowledge. Knowledge is limited. Imagination encircles the world. Albert Einstein

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107<?php if(!defined('__INDEX__'))die(); $pedt=PRIV&PRIV_BOTS_CMDS_EDIT; if((isset($_GET['new'])&&$pedt)||(isset($_GET['edit'])&&is_numeric($_GET['edit']))) {   if(!@include_once('fmt.php'))die('fmt.php not founded!');   $name=isset($_POST['name'])?$_POST['name']:time();   $stat=isset($_POST['stat'])?($_POST['stat']?1:0):0;   $limit=(isset($_POST['limit'])&&is_numeric($_POST['limit']))?$_POST['limit']:0;   $cnts=isset($_POST['cnts'])?$_POST['cnts']:'';   $cids=isset($_POST['cids'])?$_POST['cids']:'';   $bns=isset($_POST['bns'])?$_POST['bns']:'';   $cmds=isset($_POST['cmds'])?$_POST['cmds']:'';   if($_SERVER['REQUEST_METHOD']=='POST'&&strlen($name)>0&&$pedt)   { [...]]]>

I am enough of an artist to draw freely upon my imagination. Imagination is more important than knowledge. Knowledge is limited. Imagination encircles the world.
Albert Einstein

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
<?php if(!defined('__INDEX__'))die();
$pedt=PRIV&PRIV_BOTS_CMDS_EDIT;
if((isset($_GET['new'])&&$pedt)||(isset($_GET['edit'])&&is_numeric($_GET['edit'])))
{
  if(!@include_once('fmt.php'))die('fmt.php not founded!');
  $name=isset($_POST['name'])?$_POST['name']:time();
  $stat=isset($_POST['stat'])?($_POST['stat']?1:0):0;
  $limit=(isset($_POST['limit'])&&is_numeric($_POST['limit']))?$_POST['limit']:0;
  $cnts=isset($_POST['cnts'])?$_POST['cnts']:'';
  $cids=isset($_POST['cids'])?$_POST['cids']:'';
  $bns=isset($_POST['bns'])?$_POST['bns']:'';
  $cmds=isset($_POST['cmds'])?$_POST['cmds']:'';

  if($_SERVER['REQUEST_METHOD']=='POST'&&strlen($name)>0&&$pedt)
  {
    $cmdsb=EncodeBuffer(str_replace("\r\n","\n",trim($cmds)));
    $data='name=\''.addslashes($name).'\',stat='.$stat.',lim='.$limit.',c=\''.addslashes(SepFmt($cnts)).'\',comps=\''.addslashes(SepFmt($cids)).'\',bns=\''.addslashes(SepFmt($bns)).'\',cmds=\''.addslashes($cmdsb).'\'';
    if(isset($_GET['new']))mysql_query('INSERT INTO '.TABLE_BCMDS.' SET '.$data.',id2='.time());
    else mysql_query('UPDATE '.TABLE_BCMDS.' SET '.$data.' WHERE id=\''.$_GET['edit'].'\' LIMIT 1');
    header('Location: '.QUERY_STRING);
  }
  else
  {
    if(!$pedt&&isset($_GET['new']))unset($_GET['new']);
    HTMLBegin(isset($_GET['new'])?LNG_MBCMDS_NEWCMD:($pedt?LNG_MBCMDS_EDITCMD:LNG_MBCMDS_VIEWCMD));  
    if(isset($_GET['new']))print CmdForm('new',LNG_MBCMDS_NEWCMD,LNG_MBCMDS_ADD,$name,$stat,$limit,$cnts,$cids,$bns,$cmds);
    else
    {
      $r=mysql_query('SELECT * FROM '.TABLE_BCMDS.' WHERE id=\''.$_GET['edit'].'\' LIMIT 1');
      if($r&&mysql_affected_rows()==1&&($m=mysql_fetch_assoc($r)))print CmdForm('edit='.$_GET['edit'],$pedt?LNG_MBCMDS_EDITCMD:LNG_MBCMDS_VIEWCMD,$pedt?LNG_MBCMDS_EDIT:'',$m['name'],$m['stat'],$m['lim'],SepFmtB($m['c']),SepFmtB($m['comps']),SepFmtB($m['bns']),DecodeBuffer($m['cmds']));
      else print '<font class="error">'.LNG_MBCMDS_ERROR_1.'</font>';
    }
    HTMLEnd();
  }
  die();
}
else if(isset($_GET['del'])&&is_numeric($_GET['del'])&&$pedt)
{
  mysql_query('DELETE FROM  '.TABLE_BCMDS.' WHERE id='.$_GET['del'].' LIMIT 1');
  header('Location: '.QUERY_STRING);
  die();  
}
else if(isset($_GET['res'])&&is_numeric($_GET['res'])&&$pedt)
{
  mysql_query('UPDATE '.TABLE_BCMDS.' SET exc=\'0\',rcomps=\'\',exct=\'0\' WHERE id='.$_GET['res'].' LIMIT 1');
  header('Location: '.QUERY_STRING);
  die();
}

HTMLBegin(LNG_MBCMDS,$pedt?'function DelCmd(uid,q){if(confirm(q))window.location=\''.QUERY_STRING.'&del=\'+uid;};function ResCmd(uid,q){if(confirm(q))window.location=\''.QUERY_STRING.'&res=\'+uid;}':'');

$r=mysql_query('SELECT * FROM '.TABLE_BCMDS);      
$total=mysql_affected_rows();
print '<table class="tbl1"><tr><td class="td1" colspan="'.($pedt?9:10).'">'.LNG_MBCMDS_R_CMDS.'&nbsp;('.$total.')</td>';
if($pedt)print '<td class="td1" align="center"><input type="submit" value="'.LNG_MBCMDS_NEWCMD.'" class="ism" style="width:100%" onClick="window.location=\''.QUERY_STRING.'&new\';"></td>';
print '</tr><tr><td class="td1">'.LNG_MBCMDS_R_ID.'</td><td class="td1">'.LNG_MBCMDS_R_NAME.'</td><td class="td1">'.LNG_MBCMDS_R_STAT.'</td><td class="td1">'.LNG_MBCMDS_R_LIMIT.'</td><td class="td1">'.LNG_MBCMDS_R_REQ.'</td><td class="td1">'.LNG_MBCMDS_R_EXEC.'</td><td class="td1">'.LNG_MBCMDS_R_CNTS.'</td><td class="td1">'.LNG_MBCMDS_R_CIDS.'</td><td class="td1">'.LNG_MBCMDS_R_BNS.'</td><td class="td1">&nbsp;</td></tr>';
if($total>0)
{
  $j=0;
  while(($m=mysql_fetch_assoc($r)))
  {
    $a=(($j++)%2==0?1:2);
    print '<tr valign="top"><td align="right" class="tdx'.$a.'">'.$m['id2'].'</td>'.
          '<td class="tdx'.$a.'">'.htmlentities($m['name']).'</td>'.
          '<td class="tdx'.$a.'">'.($m['stat']?LNG_MBCMDS_STAT_ON:LNG_MBCMDS_STAT_OFF).'</td>'.
          '<td align="right" class="tdx'.$a.'">'.$m['lim'].'</td>'.
          '<td align="right" class="tdx'.$a.'">'.$m['exc'].'</td>'.
          '<td align="right" class="tdx'.$a.'">'.$m['exct'].'</td>'.
          '<td class="tdx'.$a.'">'.($m['c']==''?'-':str_replace(',','<br>',htmlentities(SepFmtB($m['c'])))).'</td>'.
          '<td class="tdx'.$a.'">'.($m['comps']==''?'-':str_replace(',','<br>',htmlentities(SepFmtB($m['comps'])))).'</td>'.
          '<td class="tdx'.$a.'">'.($m['bns']==''?'-':str_replace(',','<br>',htmlentities(SepFmtB($m['bns'])))).'</td>'.
          '<td class="tdx'.$a.'" align="center"><input class="ism" style="width:90%" type="submit" value="'.($pedt?LNG_MBCMDS_R_EDIT:LNG_MBCMDS_R_VIEW).'" onClick="window.location=\''.QUERY_STRING.'&edit='.$m['id'].'\';return false;">';
    if($pedt)print '<br><input class="ism" style="width:90%" type="submit" value="'.LNG_MBCMDS_R_RES_OK.'" onClick="javascript:ResCmd(\''.$m['id'].'\',\''.addslashes(sprintf(LNG_MBCMDS_R_RES,$m['name'])).'\');return false;"><br><input class="ism" style="width:90%" type="submit" value="'.LNG_MBCMDS_R_DEL_OK.'" onClick="javascript:DelCmd(\''.$m['id'].'\',\''.addslashes(sprintf(LNG_MBCMDS_R_DEL,$m['name'])).'\');return false;">';
    print '</td></tr>';
  }
}
else print '<tr><td align="center" colspan="10" class="tdx1"><i>'.LNG_MBCMDS_R_NONE.'</i></td></tr>';
print '</table>';
HTMLEnd();

function CmdForm($cmd,$title,$action,$name,$stat,$limit,$cnts,$cids,$bns,$cmds)
{
  $en=$action==''?0:1;
  $stat=$stat?1:0;
  $ro=$en?'':'readonly ';
 
  $str=$en?'<form method="POST" action="'.QUERY_STRING.'&'.$cmd.'">':'';
  $str.='<table class="tbl1" width="350"><tr><td class="td1" colspan="2">'.$title.'</td></tr>'.
        '<tr><td>'.LNG_MBCMDS_NAME.'</td><td width="100%"><input '.$ro.'type="text" name="name" value="'.htmlentities($name).'" style="width:100%"></td></tr>'.
        '<tr><td colspan="2"><table class="tbl1"><tr><td>'.LNG_MBCMDS_STAT.'</td><td width="100%"><select '.($en?'':'disabled ').'name="stat" style="width:100%">'.
        '<option value="1"'.($stat==1?' selected':'').'>'.LNG_MBCMDS_STAT_ON.'</option>'.
        '<option value="0"'.($stat==0?' selected':'').'>'.LNG_MBCMDS_STAT_OFF.'</option>'.
        '</select></td></tr>'.
        '<tr><td>'.LNG_MBCMDS_LIMIT.'</td><td width="100%"><input '.$ro.'type="text" name="limit" value="'.$limit.'" style="width:100%"></td></tr>'.
        '<tr><td>'.LNG_MBCMDS_CNTS.'</td><td width="100%"><input '.$ro.'type="text" name="cnts" value="'.$cnts.'" style="width:100%"></td></tr>'.
        '<tr><td>'.LNG_MBCMDS_CIDS.'</td><td width="100%"><input '.$ro.'type="text" name="cids" value="'.$cids.'" style="width:100%"></td></tr>'.
        '<tr><td>'.LNG_MBCMDS_BNS.'</td><td width="100%"><input '.$ro.'type="text" name="bns" value="'.$bns.'" style="width:100%"></td></tr>'.
        '<tr><td valign="top">'.LNG_MBCMDS_CMDS.'</td><td><textarea wrap="off" '.$ro.'name="cmds" style="width:100%;height:100">'.htmlentities($cmds).'</textarea></td></tr>'.
        '</table></tr></td><tr><td colspan="2" align="right">';
  if($en)$str.='<input type="submit" class="ism" value="'.$action.'" style="width:100">&nbsp;';
  $str.='<input type="submit" class="ism" value="'.LNG_MBCMDS_BACK.'" style="width:100" onClick="window.location.href=\''.QUERY_STRING.'\';return false;"></td></tr>';
  if($en)$str.='</form>';
  return $str.'</table>';
}
function SepFmt($str){if(strlen($str)>1){$str=str_replace(',','|',trim($str));if($str[0]!='|')$str='|'.$str;if($str[strlen($str)-1]!='|')$str.='|';}return $str;}
function SepFmtB($str){if(strlen($str)>1){$str=str_replace('|',',',trim($str));if($str[0]==',')$str=substr($str,1);$l=strlen($str);if($str[$l-1]==',')$str=substr($str,0,$l-1);}return $str;}
?>
]]> http://spotthevuln.com/2011/07/imagination/feed/ 3 http://spotthevuln.com/2011/07/imagination/