lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070224224137.21427.qmail@securityfocus.com>
Date: 24 Feb 2007 22:41:37 -0000
From: simon.itsecurity@...il.com
To: bugtraq@...urityfocus.com
Subject: SQLiteManager v1.2.0 Multiple Vulnerabilities

SQLiteManager v1.2.0 Multiple Vulnerabilities
-------------------------------------------------------
vendor : http://www.sqlitemanager.org/
Global risk   : High
-------------------------------------------------------

SQLite is a SQL managed portal like PhpMyAdmin.

Multiple Cross Scripting Vulnerabilities
-----------------------------------------

In main.php the database name field is vulnerable to a XSS attack.
This xss is permanent, if a user with restricted rights creates a 
table  with as name a malicious code the administrator gone get his 
cookie stealed when he opens SqliteManager's index. The same things 
happens for the table's name field if a malicious code is inserted.

The solution is then to use htmlentities().

others vulnerables fields to XSS attacks :

main.php :
............... ViewName
............... view
............... trigger
............... function
............... (...)

Theses vulnerabilities are presents in others pages too.
Here too the better solution is to use htmlentities().

reference : www.php.net/htmlentities 

Locale File Include
-------------------

GET /home/sqlite/ HTTP/1.0
[...]
Cookie: PHPSESSID=[...];SQLiteManager_currentTheme=../../../../../../../../../../../../../etc/passwd%00;
SQLiteManager_currentLangue=deleted

SQLiteManager_currentTheme variable is vulnerable.
This request will returns the /etc/passwd file.

This vulnerability is dangerous, indeed a user with restricted access to SqliteManage
could get non-authorized files.

Regards,

Simon Bonnard - 24/02/2007
Contact : simon.itsecurity[at]gmail[dot]com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ