lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 16 Aug 2005 01:58:37 -0700
From: "Thor Larholm" <thor@...x.com>
To: <bugtraq@...urityfocus.com>
Subject: RE: Vulnerability found in CPAINT Ajax Toolkit


I had a couple minutes to spare and highlighted some additional
vulnerabilities in CPAINT to the developers, which have now been fixed
promptly.

CPAINT uses xmlhttp to call a serverside script with either GET or POST
requests. The basic request structure is as follow

cpaint_function=serversideFunction&cpaint_argument[]=firstArgument&cpain
t_argument[]=secondArgument

These are parsed and checked for malicious function calls and then
concatenated into a string which is evaluated on the server, as such

cpaint_runcode(request.querystring("cpaint_function") & " (" &
join(cpaint_arguments, ",") & ")")

1) 
You can inject malicious code to be executed by the server through
string concatenation of the arguments. Here's an example with the
default calculator example.

calculator.asp?cpaint_function=addNumbers&cpaint_argument[]=1&cpaint_arg
ument[]=2")%20%26%20eval("malicious code

2)
You don't have to know the name of a predefined function in order to
execute malicious code. Example:

http://someserver.com/cpaintfile.asp?cpaint_function=response.write&cpai
nt_argument[]=2")%20%26%20eval("malicious code

3)
The checkBlacklist function did not scrub out calls to the ExecuteGlobal
function and GetRef statement, allowing for further code injection.

4)
All of the above also allow simple XSS.

The above problems have been fixed in the current release, though the
use of eval on the server will continue to represent a target. The
CPAINT developers will soon be releasing version 2 of their library
which will move away from eval and only allow calls to explicitly
defined serverside functions.


Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
23 Corporate Plaza #280
Newport Beach, CA 92660
http://www.pivx.com
thor@...x.com
Stock symbol: (PIVX.OB)
Phone: +1 (949) 231-8496
PGP: 0x4207AEE9
B5AB D1A4 D4FD 5731 89D6  20CD 5BDB 3D99 4207 AEE9

PivX defines a new genre in Desktop Security: Proactive Threat
Mitigation. 
<http://www.pivx.com/qwikfix>   

-----Original Message-----
From: wiley14@...il.com [mailto:wiley14@...il.com] 
Sent: Monday, August 15, 2005 6:53 PM
To: bugtraq@...urityfocus.com
Subject: Vulnerability found in CPAINT Ajax Toolkit

I am the original author of the CPAINT Ajax Toolkit
(http://cpaint.sourceforge.net/).  Last night we found a vulnerability
affecting all versions of CPAINT prior to v1.3-SP (which is the patched
version of the software) that can allow a user with malicious intent to
execute server or ASP/PHP commands that would allow them to easily
access data on the server.

We have removed prior versions of the software from our SourceForge
Project website and highly recommend that all users upgrade to v1.3-SP
which can be downloaded at
http://sourceforge.net/project/showfiles.php?group_id=141041&package_id=
154713&release_id=349396

This problem will also affect any software packages and/or websites that
utilize the CPAINT toolkit.  We also suspect this problem affects other
AJAX toolkits (as they are all very similar in the way they execute
functions on the backend) and urge other AJAX toolkit authors and users
to test for any security problems as well.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ