lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: joxeankoret at yahoo.es (Joxean Koret)
Subject: Various Vulnerabilities in OWL Intranet Engine

----------------------------------------------------------------------------
               Various Vulnerabilities in OWL Intranet Engine
----------------------------------------------------------------------------

Author: Jose Antonio Coret (Joxean Koret)
Date: 2004 
Location: Basque Country

---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

OWL 0.7 and 0.8 -  Owl is a multi user document repository
(knowledgebase) 
system written in PHP4 for publishing files/documents onto the web for
a 
corporation, small business, group of people, or just for yourself.

Web : http://owl.sourceforge.net/

---------------------------------------------------------------------------

Vulnerabilities:
~~~~~~~~~~~~~~~~

A. Cross Site Scripting Vulnerabilities

A1. In the script browser various parameters, that are used to write the
html code, not are verified. 

	Test URLS : 


http://<site-with-owl>/intranet/browse.php?sess=<replace-with-a-valid-session-id>&parent=115&expand=1'><script>alert(document.location)</script>&order=creatorid&sortposted=DESC


http://<site-with-owl>/intranet/browse.php?sess=<replace-with-a-valid-session-id>&parent=115&expand=1&order=creatorid'><script>alert(document.location)</script>&sortposted=DESC


B. SQL Injection Vulnerabilities

B1. In the browser.php script the following parameters are vulnerables
to an
SQL Injection attacks.

	Test URLS : 
	

http://<site-with-owl>/intranet/browse.php?sess=<replace-with-a-valid-session-id>&parent=104[SQL%20INJECTION]&expand=1&order=creatorid&sortposted=DESC

http://<site-with-owl>/intranet/browse.php?sess=<replace-with-a-valid-session-id>&parent=104&expand=1&order=creatorid&sortposted=DESC[SQL%20INJECTION]


The fix:
~~~~~~~~

All problems are fixed in the CVS.

Disclaimer:
~~~~~~~~~~~

The information in this advisory and any of its demonstrations is
provided
"as is" without any warranty of any kind.

I am not liable for any direct or indirect damages caused as a result of
using the information or demonstrations provided in any part of this
advisory. 

---------------------------------------------------------------------------

Contact:
~~~~~~~~

	Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es



-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050101/c31a5020/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ