lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060530145311.20172.qmail@securityfocus.com>
Date: 30 May 2006 14:53:11 -0000
From: enji@...lab.tuwien.ac.at
To: bugtraq@...urityfocus.com
Subject: Open Searchable Image Catalogue: XSS and SQL Injection
 Vulnerabilities


===========================================================
Open Searchable Image Catalogue: XSS and SQL Injection Vulnerabilities
===========================================================
Technical University of Vienna Security Advisory
TUVSA-0605-001, May 30, 2006
===========================================================


Affected applications
----------------------

Open Searchable Image Catalogue (http://cosp.wordpress.com/tag/osic, http://sourceforge.net/projects/osic-win)

Versions 0.7 and prior.


Description
------------

There are a number of cross site scripting (XSS) vulnerabilities that are caused by the second echo statement in function do_mysql_query (core.php, line 544). If a database query fails for some reason, the query is reflected back to the user. Here are a few points where this situation can be exploited (if register_globals is active and if the current user is logged in as admin):

adminfunctions.php, line 531
http://localhost/osic07/admin.php?action=manageusers&username=neweviluser&password=xyz&confpass=xyz&realname='&type=<script>alert('hi')</script>

adminfunctions.php, line 561
http://localhost/osic07/admin.php?action=manageusers&id=777&username=neweviluser&password=xyz&confpass=xyz&realname='&type=<script>alert('hi')</script>

editcatalogue.php, line 523
http://localhost/osic07/admin.php?action=editcatalogue&op=additems&catalogue_id='<script>alert('hi')</script>&uploaded=true&submit=true&AddRemaining=true
[there has to be at least one file with a valid extension in the uploads directory]

editcatalogue.php, line 581
http://localhost/osic07/admin.php?action=editcatalogue&op=additems&catalogue_id=777&uploaded=true&submit=true&catalogue_id='<script>alert('hi')</script>

The above vulnerabilities are also SQL Injection vulnerabilities.

Some analogous cases in search.php:

search.php, line 120:
The $query variable can contain malicious user input due to the assignments on lines 90-112.

search.php, line 152:
$cf_query is tainted by $cfid, which is tainted by $tempCustomFieldID, which is tainted by $HTTP_POST_VARS (line 138).

search.php, lines 243-250:
There are calls to getValueFromID with $item_list as parameter, which can be controlled by an attacker.


Solution
---------

The authors have responded to our message quickly and have released version 0.7.0.1, which fixes the above issues.

Timeline:

March 30, 2006:
- Vulnerabilities reported to Chris Goerner.
- Response and release of fixed version.
- Advisory submission.


References
-----------

http://www.seclab.tuwien.ac.at/advisories/TUVSA-0605-001.txt


Nenad Jovanovic
Secure Systems Lab 
Technical University of Vienna 
www.seclab.tuwien.ac.at


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ