2.0A

CVSS 4.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

PARTIAL

Availability impact

NONE

network

clever-copy

nessus

exploit available

NVD

Published: 2005-07-19

Updated: 2008-09-05

Summary

Cross-site scripting (XSS) vulnerability in Clever Copy 2.0 and 2.0a allows remote attackers to inject arbitrary web script or HTML via the searchtype or searchterm parameters to (1) results.php or (2) categorysearch.php.

Vulnerable Configurations

Part	Description	Count
Application	Clever_Copy Clever Copy Clever Copy 2.0 Clever Copy Clever Copy 2.0A	2

Exploit-Db

description	Clever Copy 2.0 results.php Multiple Parameter XSS. CVE-2005-2324. Webapps exploit for php platform
id	EDB-ID:26037
last seen	2016-02-03
modified	2005-07-27
published	2005-07-27
reporter	Lostmon
source	https://www.exploit-db.com/download/26037/
title	Clever Copy 2.0 results.php Multiple Parameter XSS

description	Clever Copy 2.0 categorysearch.php Multiple Parameter XSS. CVE-2005-2324 . Webapps exploit for php platform
id	EDB-ID:26038
last seen	2016-02-03
modified	2005-07-27
published	2005-07-27
reporter	Lostmon
source	https://www.exploit-db.com/download/26038/
title	Clever Copy 2.0 categorysearch.php Multiple Parameter XSS

Nessus

NASL family	CGI abuses
NASL id	CLEVERCOPY_PATH_DISCLOSURE_XSS.NASL
description	The remote host is running Clever Copy, a free, fully-scalable web site portal and news posting system written in PHP The remote version of this software contains multiple vulnerabilities that can lead to path disclosure, cross-site scripting and unauthorized access to private messages.
last seen	2020-06-01
modified	2020-06-02
plugin id	19392
published	2005-08-07
reporter	Copyright (C) 2005-2018 Josh Zlatin-Amishav
source	https://www.tenable.com/plugins/nessus/19392
title	Clever Copy Multiple Vulnerabilities (XSS, Path Disc, Inf Disc)
code	# # This script was written by Josh Zlatin-Amishav <josh at tkos dot co dot il> # # This script is released under the GNU GPLv2 # # Changes by Tenable: # - revised plugin title, added CVE xrefs, added See also, lowered Risk from Medium (12/11/08) # - changed exploit from SQL injection to XSS, which is what these BIDs cover (12/11/08) # - revised plugin title, changed family (4/28/09) include("compat.inc"); if (description) { script_id(19392); script_version("1.24"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12"); script_cve_id("CVE-2005-2324", "CVE-2005-2325", "CVE-2005-2326"); script_bugtraq_id(14278, 14395, 14397); script_name(english:"Clever Copy Multiple Vulnerabilities (XSS, Path Disc, Inf Disc)"); script_summary(english:"Checks for XSS in results.php"); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a PHP application that is affected by multiple issues."); script_set_attribute(attribute:"description", value: "The remote host is running Clever Copy, a free, fully-scalable web site portal and news posting system written in PHP The remote version of this software contains multiple vulnerabilities that can lead to path disclosure, cross-site scripting and unauthorized access to private messages."); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2de3c207"); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6452dc3e" ); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6f8cfd3f" ); script_set_attribute(attribute:"solution", value:"There is no known solution at this time."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:ND"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990); script_set_attribute(attribute:"vuln_publication_date", value:"2005/07/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/08/07"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"Copyright (C) 2005-2020 Josh Zlatin-Amishav"); script_dependencies("http_version.nasl", "cross_site_scripting.nasl"); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_keys("Settings/ParanoidReport", "www/PHP"); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("http_func.inc"); include("http_keepalive.inc"); include("url_func.inc"); # nb: avoid false-positives caused by not checking for the app itself. if (report_paranoia < 2) audit(AUDIT_PARANOID); port = get_http_port(default:80, embedded:TRUE); if(!get_port_state(port))exit(0); if(!can_host_php(port:port)) exit(0); if ( get_kb_item("www/"+port+"/generic_xss") ) exit(0); # A simple alert. xss = "<script>alert('" + SCRIPT_NAME + "');</script>"; # nb: the url-encoded version is what we need to pass in. exss = urlencode(str:xss); foreach dir ( cgi_dirs() ) { req = http_get( item:string( dir, "/results.php?", 'searchtype=">', exss, "category&", "searchterm=Nessus" ), port:port ); res = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE); if ( xss >< res ) { security_warning(port); set_kb_item(name: 'www/'+port+'/XSS', value: TRUE); exit(0); } }

References

http://lostmon.blogspot.com/2005/07/clever-copy-path-disclosure-and-xss.html