lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: francois.sorin at security-corporation.com (François SORIN) Subject: [KSA-001] Multiple vulnerabilities in Tutos ================================================= Kereval Security Advisory [KSA-001] Multiple vulnerabilities in Tutos ================================================= PROGRAM: Tutos HOMEPAGE: http://www.tutos.org VULNERABLE VERSIONS: 1.1 RISK: Medium/High IMPACT: Cross Site Scripting RELEASE DATE: 2003-06-24 ================================================= TABLE OF CONTENTS ================================================= 1..........................................................DESCRIPTION 2..............................................................DETAILS 3.............................................................EXPLOITS 4............................................................SOLUTIONS 5...........................................................WORKAROUND 6........................................................VENDOR STATUS 7..............................................................CREDITS 8...........................................................DISCLAIMER 9...........................................................REFERENCES 10............................................................FEEDBACK 1. DESCRIPTION ================================================= "TUTOS is a tool to manage the the organizational needs of small groups, teams, departments ... To do this it provides some web-based tools" (direct quote from http://www.tutos.org) 2. DETAILS ================================================= ? Cross Site Scripting : Many exploitable bugs was found in Tutos which cause script execution on client's computer by following a crafted url. This kind of attack known as "Cross-Site Scripting Vulnerability" is present in many section of the web site, an attacker can input specially crafted links and/or other malicious scripts. An attacker can upload a file and execute it on the client's computer. The browser IE can execute a HTML page without extension. 3. EXPLOITS ================================================= ? Cross Site Scripting : http://[target]/tutos/file/file_select.php?msg=<hostile code> All url with attribute msg... The hostile code could be : [script]alert("Cookie="+document.cookie)[/script] (open a window with the cookie of the visitor.) (replace [] by <>) ? Upload a file with a malicious script We can upload via http://[target]/tutos/file/file_new.php?link_id=1065 The path is http://[target]/tutos/repository/[project number]/[file number]/FILE 4. SOLUTIONS ================================================= The Problem is solved for all new releases where the given <hostile code> is strictly interpreted as NON-HTML code by TUTOS. And most messages are stored in the sessiondata and no longer in URLs (there was also a problem with too long URLs) The version that implements this is available via CVS as BRANCH-1-1 How to get CVS is described on <https://sourceforge.net/cvs/?group_id=8047> 5. WORKAROUND ================================================= ? Cross Site Scripting : Use the function php eregi_replace to filter the input data. 6. VENDOR STATUS ================================================= 2003-06-19 Vulnerability discovered 2003-06-20 The vendor has reportedly been notified. 2003-06-21 Security Corporation clients notified 2003-06-23 Response from the vendor with solution. 2003-06-24 Public disclosure 7. CREDITS ================================================= Discovered by Fran?ois SORIN <francois.sorin@...urity-corporation.com> Thanks to http://www.security-corporation.com 8. DISLAIMER ================================================= The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. 9. REFERENCES ================================================= - Original Version: http://www.security-corporation.com/articles-20030624-000.html - Version Fran?aise: http://www.security-corporation.com/articles-20030624-001.html 10. FEEDBACK ================================================= Please send suggestions, updates, and comments to: Kereval Immeuble Le Gallium 80, avenue des Buttes de Coesmes 35700 RENNES - FRANCE info@...eval.com
Powered by blists - more mailing lists