[SCSA-010] Path Disclosure & Cross Site Scripting Vulnerability in MyABraCaDaWeb

From: Grégory (gregory.lebras@security-corporation.com)
Date: Mon Mar 17 2003 - 12:22:37 PST

Next message: Mandrake Linux Security Team: "MDKSA-2003:032 - Updated samba packages fix remote root vulnerability"

Previous message: Lluis Mora: "S21SEC-011 - Multiple vulnerabilities in BEA WebLogic Server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) ________________________________________________________________________ Security Corporation Security Advisory [SCSA-010] ________________________________________________________________________ PROGRAM: MyABraCaDaWeb HOMEPAGE: http://www.webmaster-mag.net/ VULNERABLE VERSIONS: v1.0.2 and prior ________________________________________________________________________ DESCRIPTION ________________________________________________________________________ MyABraCaDaWeb is an other Content Management Systems like PHP-Nuke More informations at : http://www.webmaster-mag.net/?module=pages@@myabracadaweb_pr (In French) DETAILS & EXPLOITS ________________________________________________________________________ ¤ Path Disclosure : Some vulnerabilities have been found in MyABraCaDaWeb which allow attackers to determine the physical path of the application. This vulnerability would allow a remote user to determine the full path to the web root directory and other potentially sensitive information. This vulnerability can be triggered by a remote user submitting a specially crafted HTTP request, such as a request for an invalid Admin ID. Exploits : http://[target]/index.php?IDAdmin=test http://[target]/index.php?base=test http://[target]/index.php?tampon=test http://[target]/index.php?SqlQuery=test etc... --------------------------------------- ¤ Cross Site Scripting : A Cross-Site Scripting vulnerability have been found in MyABraCaDaWeb which allow attackers to inject script codes into the search script and use them on clients browser as if they were provided by the site. This Cross-Site Scripting vulnerability are found in the page for searching keyword. An attacker can input specially crafted links and/or other malicious scripts. Exploit : http://[target]/index.php?module=pertinance&ma_ou=[modules]&ma_kw= [hostile_c ode] The module could be : "annuaire2liens" The hostile code could be : [script]alert("Cookie="+document.cookie)[/script] (open a window with the cookie of the visitor.) (replace [] by <>) Vulnerable code "header.php" : #################################################################### //---Creation du rapport $vtp_p = new VTemplate; $tpl_p = $vtp_p->Open("modules/pertinance/tpl/rapport.tpl"); $vtp_p->addSession($tpl_p,"rapport"); $vtp_p->setVar($tpl_p,"rapport.ma_kw",$ma_kw); $vtp_p->setVar($tpl_p,"rapport.NbMotCle",$NbMotCle); $vtp_p->setVar($tpl_p,"rapport.T3",$T3); $vtp_p->setVar($tpl_p,"rapport.NbLiens",$NbLiens); if(quel_groupe() == 4){ $sql = htmlentities($sql); $sql = addslashes($sql); $vtp_p->addSession($tpl_p,"sql"); $vtp_p->setVar($tpl_p,"sql.sql",$sql); $vtp_p->closeSession($tpl_p,"sql"); } $vtp_p->closeSession($tpl_p,"rapport"); $Raport = $vtp_p->Display($tpl_p,0); #################################################################### SOLUTIONS ________________________________________________________________________ ¤ Path Disclosure : No solution for the moment. ¤ Cross Site Scripting : You can found a patch at the following link : http://www.security- corporation.com/download/patch/MyABraCaDaWebv1.0.2XSSpat ch.zip For example use this code in "header.php": #################################################################### //---Creation du rapport # BugFix by Gregory LEBRAS www.security-corporation.com $ma_kw = eregi_replace("content-disposition:","!content-disposition:!",$ma_kw); $ma_kw = eregi_replace("include","!include!",$ma_kw); $ma_kw = eregi_replace("\<\?","<.?",$ma_kw); $ma_kw = eregi_replace("\?\p\h\p",".?php",$ma_kw); $ma_kw = eregi_replace("\?\>","?.>",$ma_kw); $ma_kw = eregi_replace("<script>","<.script>",$ma_kw); $ma_kw = eregi_replace("</script>","<./script>",$ma_kw); $ma_kw = eregi_replace("javascript","!javascript!",$ma_kw); $ma_kw = eregi_replace("embed","!embed!",$ma_kw); $ma_kw = eregi_replace("iframe","!iframe!",$ma_kw); $ma_kw = eregi_replace("refresh","!refresh!",$ma_kw); $ma_kw = eregi_replace("onload","!onload!",$ma_kw); $ma_kw = eregi_replace("onstart","!onstart!",$ma_kw); $ma_kw = eregi_replace("onerror","!onerror!",$ma_kw); $ma_kw = eregi_replace("onabort","!onabort!",$ma_kw); $ma_kw = eregi_replace("onblur","!onblur!",$ma_kw); $ma_kw = eregi_replace("onchange","!onchange!",$ma_kw); $ma_kw = eregi_replace("onclick","!onclick!",$ma_kw); $ma_kw = eregi_replace("ondblclick","!ondblclick!",$ma_kw); $ma_kw = eregi_replace("onfocus","!onfocus!",$ma_kw); $ma_kw = eregi_replace("onkeydown","!onkeydown!",$ma_kw); $ma_kw = eregi_replace("onkeypress","!onkeypress!",$ma_kw); $ma_kw = eregi_replace("onkeyup","!onkeyup!",$ma_kw); $ma_kw = eregi_replace("onmousedown","!onmousedown!",$ma_kw); $ma_kw = eregi_replace("onmousemove","!onmousemove!",$ma_kw); $ma_kw = eregi_replace("onmouseover","!onmouseover!",$ma_kw); $ma_kw = eregi_replace("onmouseout","!onmouseout!",$ma_kw); $ma_kw = eregi_replace("onmouseup","!onmouseup!",$ma_kw); $ma_kw = eregi_replace("onreset","!onreset!",$ma_kw); $ma_kw = eregi_replace("onselect","!onselect!",$ma_kw); $ma_kw = eregi_replace("onsubmit","!onsubmit!",$ma_kw); $ma_kw = eregi_replace("onunload","!onunload!",$ma_kw); $ma_kw = eregi_replace("document.cookie","!document.cookie!",$ma_kw); $ma_kw = eregi_replace("vbscript","!vbscript!",$ma_kw); $ma_kw = eregi_replace("location","!location!",$ma_kw); $ma_kw = eregi_replace("object","!object!",$ma_kw); $ma_kw = eregi_replace("vbs","!vbs!",$ma_kw); $ma_kw = eregi_replace("href","!href!",$ma_kw); $vtp_p = new VTemplate; $tpl_p = $vtp_p->Open("modules/pertinance/tpl/rapport.tpl"); $vtp_p->addSession($tpl_p,"rapport"); $vtp_p->setVar($tpl_p,"rapport.ma_kw",$ma_kw); $vtp_p->setVar($tpl_p,"rapport.NbMotCle",$NbMotCle); $vtp_p->setVar($tpl_p,"rapport.T3",$T3); $vtp_p->setVar($tpl_p,"rapport.NbLiens",$NbLiens); if(quel_groupe() == 4){ $sql = htmlentities($sql); $sql = addslashes($sql); $vtp_p->addSession($tpl_p,"sql"); $vtp_p->setVar($tpl_p,"sql.sql",$sql); $vtp_p->closeSession($tpl_p,"sql"); } $vtp_p->closeSession($tpl_p,"rapport"); $Raport = $vtp_p->Display($tpl_p,0); #################################################################### VENDOR STATUS ________________________________________________________________________ The vendor has reportedly been notified. It currently develops a patch. LINKS ________________________________________________________________________ http://www.security-corporation.com/index.php?id=advisories&a=010 http://www.security-corp.org/index.php?ink=4-15-1 ------------------------------------------------------------------------- Grégory Le Bras aka GaLiaRePt | http://www.Security-Corporation.com -------------------------------------------------------------------------

Next message: Mandrake Linux Security Team: "MDKSA-2003:032 - Updated samba packages fix remote root vulnerability"
Previous message: Lluis Mora: "S21SEC-011 - Multiple vulnerabilities in BEA WebLogic Server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Mar 17 2003 - 12:57:13 PST