Ripe Website Manager SQL Injection and Cross Site Scripting Vulnerabilities OS2A ID: OS2A_1009 Status: 07/11/2007 Issue Discovered 07/12/2007 Reported to the Vendor 08/22/2007 Public Release Class: SQL Injection and Cross Site Scripting Severity: High Overview: --------- Ripe Website Manager is a web based website CMS (Content Management System). It allows you to create/edit your website pages. Description: ------------ SQL Injection and Cross-site scripting vulnerabilities exists in Ripe Website Manager, which can be exploited by malicious users to conduct script insertion and SQL injection attacks. The input passed to these parameters are not properly sanitized, - id parameter in 'admin/pages/delete_page.php', 'admin/navigation/delete_menu.php' and 'delete_item.php' - new_menuname parameter in 'admin/navigation/do_new_nav.php', - url and name parameters in 'admin/navigation/new_nav_item.php' and - area1, name parameters in 'admin/pages/do_new_page.php' Impact: ------- Successful exploitation allows an attacker to execute arbitrary script, steal cookie related information in the context of an affected web site and execute sql queries. To exploit this, an attacker should have login credentials. Affected Software(s): --------------------- Ripe Website Manager 0.8.9 and prior Proof of Concept: ----------------- After logging in as valid user, SQL Injection: http://example.com/admin/pages/delete_page.php?id=0 or 1=1 XSS: Go to the http://www.example.com/admin/pages/new_page.php and insert in 'Title' field or 'textarea' field. OR Go to the http://www.example.com/admin/navigation/new_nav_item.php and insert in 'Name' or 'Link to url' fields. Analysis: --------- 1. Vulnerable portion of code in Ripe/admin/pages/delete_page.php, admin/navigation/delete_item.php and delete_menu.php $id = $_GET['id']; 2. Vulnerable portion of code in Ripe/admin/navigation/do_new_item.php $menu_id=$_POST['menu_id']; $name=$_POST['name']; $page_id=$_POST['page_id']; $url=$_POST['url']; 3. Vulnerable portion of code in Ripe/admin/navigation/do_new_nav.php $new_menuname=$_POST['new_menuname']; 4. Vulnerable portion of code in Ripe/admin/pages/do_new_page.php $area1=$_POST['area1']; $name=$_POST['name']; $url=$_POST['url']; CVSS Score Report: ------------------ ACCESS_VECTOR = NETWORK ACCESS_COMPLEXITY = LOW AUTHENTICATION = SINGLE INSTANCE CONFIDENTIALITY_IMPACT = PARTIAL INTEGRITY_IMPACT = PARTIAL AVAILABILITY_IMPACT = PARTIAL EXPLOITABILITY = PROOF_OF_CONCEPT REMEDIATION_LEVEL = OFFICIAL_FIX REPORT_CONFIDENCE = CONFIRMED CVSS Base Score = 6.5 (AV:N/AC:L/Au:SI/C:P/I:P/A:P) CVSS Temporal Score = 5.1 Risk factor = High Solution: ----------- Upgrade to the latest version 0.8.10 of Ripe Web Site Manager. The design change implemented ensures that other users do not have permission to perform the above operations. Credits: ----------- Nagendra Kumar G and Arun Kethipelly of OS2A have been credited with the discovery for these vulnerabilities.