________________________________________________________________________
Security Corporation Security Advisory [SCSA-010] ________________________________________________________________________ PROGRAM: MyABraCaDaWeb HOMEPAGE: http://www.webmaster-mag.net/ VULNERABLE VERSIONS: v1.0.2 and prior ________________________________________________________________________ DESCRIPTION ________________________________________________________________________ MyABraCaDaWeb is an other Content Management Systems like PHP-Nuke More informations at : http://www.webmaster-mag.net/?module=pages@@myabracadaweb_pr (In French) DETAILS & EXPLOITS ________________________________________________________________________ ¤ Path Disclosure : Some vulnerabilities have been found in MyABraCaDaWeb which allow attackers to determine the physical path of the application. This vulnerability would allow a remote user to determine the full path to the web root directory and other potentially sensitive information. This vulnerability can be triggered by a remote user submitting a specially crafted HTTP request, such as a request for an invalid Admin ID. Exploits : http://[target]/index.php?IDAdmin=test http://[target]/index.php?base=test http://[target]/index.php?tampon=test http://[target]/index.php?SqlQuery=test etc... --------------------------------------- ¤ Cross Site Scripting : A Cross-Site Scripting vulnerability have been found in MyABraCaDaWeb which allow attackers to inject script codes into the search script and use them on clients browser as if they were provided by the site. This Cross-Site Scripting vulnerability are found in the page for searching keyword. An attacker can input specially crafted links and/or other malicious scripts. Exploit : http://[target]/index.php?module=pertinance&ma_ou=[modules]&ma_kw= [hostile_c ode] The module could be : "annuaire2liens" The hostile code could be : [script]alert("Cookie="+document.cookie)[/script] (open a window with the cookie of the visitor.) (replace [] by <>) Vulnerable code "header.php" : #################################################################### //---Creation du rapport $vtp_p = new VTemplate; $tpl_p = $vtp_p->Open("modules/pertinance/tpl/rapport.tpl"); $vtp_p->addSession($tpl_p,"rapport"); $vtp_p->setVar($tpl_p,"rapport.ma_kw",$ma_kw); $vtp_p->setVar($tpl_p,"rapport.NbMotCle",$NbMotCle); $vtp_p->setVar($tpl_p,"rapport.T3",$T3); $vtp_p->setVar($tpl_p,"rapport.NbLiens",$NbLiens); if(quel_groupe() == 4){ $sql = htmlentities($sql); $sql = addslashes($sql); $vtp_p->addSession($tpl_p,"sql"); $vtp_p->setVar($tpl_p,"sql.sql",$sql); $vtp_p->closeSession($tpl_p,"sql"); } $vtp_p->closeSession($tpl_p,"rapport"); $Raport = $vtp_p->Display($tpl_p,0); #################################################################### SOLUTIONS ________________________________________________________________________ ¤ Path Disclosure : No solution for the moment. ¤ Cross Site Scripting : You can found a patch at the following link : http://www.security- corporation.com/download/patch/MyABraCaDaWebv1.0.2XSSpat ch.zip For example use this code in "header.php": #################################################################### //---Creation du rapport # BugFix by Gregory LEBRAS www.security-corporation.com $ma_kw = eregi_replace("content-disposition:","!content-disposition:!",$ma_kw); $ma_kw = eregi_replace("include","!include!",$ma_kw); $ma_kw = eregi_replace("\<\?","<.?",$ma_kw); $ma_kw = eregi_replace("\?\p\h\p",".?php",$ma_kw); $ma_kw = eregi_replace("\?\>","?.>",$ma_kw); $ma_kw = eregi_replace("<script>","<.script>",$ma_kw); $ma_kw = eregi_replace("</script>","<./script>",$ma_kw); $ma_kw = eregi_replace("javascript","!javascript!",$ma_kw); $ma_kw = eregi_replace("embed","!embed!",$ma_kw); $ma_kw = eregi_replace("iframe","!iframe!",$ma_kw); $ma_kw = eregi_replace("refresh","!refresh!",$ma_kw); $ma_kw = eregi_replace("onload","!onload!",$ma_kw); $ma_kw = eregi_replace("onstart","!onstart!",$ma_kw); $ma_kw = eregi_replace("onerror","!onerror!",$ma_kw); $ma_kw = eregi_replace("onabort","!onabort!",$ma_kw); $ma_kw = eregi_replace("onblur","!onblur!",$ma_kw); $ma_kw = eregi_replace("onchange","!onchange!",$ma_kw); $ma_kw = eregi_replace("onclick","!onclick!",$ma_kw); $ma_kw = eregi_replace("ondblclick","!ondblclick!",$ma_kw); $ma_kw = eregi_replace("onfocus","!onfocus!",$ma_kw); $ma_kw = eregi_replace("onkeydown","!onkeydown!",$ma_kw); $ma_kw = eregi_replace("onkeypress","!onkeypress!",$ma_kw); $ma_kw = eregi_replace("onkeyup","!onkeyup!",$ma_kw); $ma_kw = eregi_replace("onmousedown","!onmousedown!",$ma_kw); $ma_kw = eregi_replace("onmousemove","!onmousemove!",$ma_kw); $ma_kw = eregi_replace("onmouseover","!onmouseover!",$ma_kw); $ma_kw = eregi_replace("onmouseout","!onmouseout!",$ma_kw); $ma_kw = eregi_replace("onmouseup","!onmouseup!",$ma_kw); $ma_kw = eregi_replace("onreset","!onreset!",$ma_kw); $ma_kw = eregi_replace("onselect","!onselect!",$ma_kw); $ma_kw = eregi_replace("onsubmit","!onsubmit!",$ma_kw); $ma_kw = eregi_replace("onunload","!onunload!",$ma_kw); $ma_kw = eregi_replace("document.cookie","!document.cookie!",$ma_kw); $ma_kw = eregi_replace("vbscript","!vbscript!",$ma_kw); $ma_kw = eregi_replace("location","!location!",$ma_kw); $ma_kw = eregi_replace("object","!object!",$ma_kw); $ma_kw = eregi_replace("vbs","!vbs!",$ma_kw); $ma_kw = eregi_replace("href","!href!",$ma_kw); $vtp_p = new VTemplate; $tpl_p = $vtp_p->Open("modules/pertinance/tpl/rapport.tpl"); $vtp_p->addSession($tpl_p,"rapport"); $vtp_p->setVar($tpl_p,"rapport.ma_kw",$ma_kw); $vtp_p->setVar($tpl_p,"rapport.NbMotCle",$NbMotCle); $vtp_p->setVar($tpl_p,"rapport.T3",$T3); $vtp_p->setVar($tpl_p,"rapport.NbLiens",$NbLiens); if(quel_groupe() == 4){ $sql = htmlentities($sql); $sql = addslashes($sql); $vtp_p->addSession($tpl_p,"sql"); $vtp_p->setVar($tpl_p,"sql.sql",$sql); $vtp_p->closeSession($tpl_p,"sql"); } $vtp_p->closeSession($tpl_p,"rapport"); $Raport = $vtp_p->Display($tpl_p,0); #################################################################### VENDOR STATUS ________________________________________________________________________ The vendor has reportedly been notified. It currently develops a patch. LINKS ________________________________________________________________________ http://www.security-corporation.com/index.php?id=advisories&a=010 http://www.security-corp.org/index.php?ink=4-15-1 ------------------------------------------------------------------------- Grégory Le Bras aka GaLiaRePt | http://www.Security-Corporation.com -------------------------------------------------------------------------