lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <005101c2ecc4$7bed9c70$0300a8c0@goliath>
From: gregory.lebras at security-corporation.com (Gregory Le Bras | Security Corporation)
Subject: [SCSA-010] Path Disclosure & Cross Site Scripting Vulnerability in MyABraCaDaWeb

________________________________________________________________________

Security Corporation Security Advisory [SCSA-010]
________________________________________________________________________

PROGRAM: MyABraCaDaWeb
HOMEPAGE: http://www.webmaster-mag.net/
VULNERABLE VERSIONS: v1.0.2 and prior
________________________________________________________________________

DESCRIPTION
________________________________________________________________________

MyABraCaDaWeb is an other Content Management Systems like PHP-Nuke

More informations at :
http://www.webmaster-mag.net/?module=pages@@myabracadaweb_pr (In French)


DETAILS & EXPLOITS
________________________________________________________________________


? Path Disclosure :

Some vulnerabilities have been found in MyABraCaDaWeb which allow attackers
to determine the physical path of the application.


This vulnerability would allow a remote user to determine the full path to
the web root directory and other potentially sensitive information.

This vulnerability can be triggered by a remote user submitting a
specially crafted HTTP request, such as a request for an invalid Admin ID.


Exploits :

http://[target]/index.php?IDAdmin=test

http://[target]/index.php?base=test

http://[target]/index.php?tampon=test

http://[target]/index.php?SqlQuery=test

etc...

---------------------------------------

? Cross Site Scripting :

A Cross-Site Scripting vulnerability have been found in MyABraCaDaWeb which
allow attackers to inject script codes into the search script and use
them on clients browser as if they were provided by the site.

This Cross-Site Scripting vulnerability are found in the page for searching
keyword.

An attacker can input specially crafted links and/or other malicious
scripts.



Exploit :

http://[target]/index.php?module=pertinance&ma_ou=[modules]&ma_kw=[hostile_c
ode]

The module could be : "annuaire2liens"

The hostile code could be :
[script]alert("Cookie="+document.cookie)[/script]

(open a window with the cookie of the visitor.)

(replace [] by <>)

Vulnerable code "header.php" :

####################################################################
//---Creation du rapport
$vtp_p = new VTemplate;
$tpl_p = $vtp_p->Open("modules/pertinance/tpl/rapport.tpl");
$vtp_p->addSession($tpl_p,"rapport");
$vtp_p->setVar($tpl_p,"rapport.ma_kw",$ma_kw);
$vtp_p->setVar($tpl_p,"rapport.NbMotCle",$NbMotCle);
$vtp_p->setVar($tpl_p,"rapport.T3",$T3);
$vtp_p->setVar($tpl_p,"rapport.NbLiens",$NbLiens);
if(quel_groupe() == 4){
$sql = htmlentities($sql);
$sql = addslashes($sql);
$vtp_p->addSession($tpl_p,"sql");
$vtp_p->setVar($tpl_p,"sql.sql",$sql);
$vtp_p->closeSession($tpl_p,"sql");
}
$vtp_p->closeSession($tpl_p,"rapport");
$Raport = $vtp_p->Display($tpl_p,0);
####################################################################



SOLUTIONS
________________________________________________________________________

? Path Disclosure :

No solution for the moment.

? Cross Site Scripting :

You can found a patch at the following link :

http://www.security-corporation.com/download/patch/MyABraCaDaWebv1.0.2XSSpat
ch.zip

For example use this code in "header.php":

####################################################################
//---Creation du rapport

# BugFix by Gregory LEBRAS www.security-corporation.com

$ma_kw =
eregi_replace("content-disposition:","!content-disposition:!",$ma_kw);
$ma_kw = eregi_replace("include","!include!",$ma_kw);
$ma_kw = eregi_replace("\<\?","<.?",$ma_kw);
$ma_kw = eregi_replace("\?\p\h\p",".?php",$ma_kw);
$ma_kw = eregi_replace("\?\>","?.>",$ma_kw);
$ma_kw = eregi_replace("<script>","<.script>",$ma_kw);
$ma_kw = eregi_replace("</script>","<./script>",$ma_kw);
$ma_kw = eregi_replace("javascript","!javascript!",$ma_kw);
$ma_kw = eregi_replace("embed","!embed!",$ma_kw);
$ma_kw = eregi_replace("iframe","!iframe!",$ma_kw);
$ma_kw = eregi_replace("refresh","!refresh!",$ma_kw);
$ma_kw = eregi_replace("onload","!onload!",$ma_kw);
$ma_kw = eregi_replace("onstart","!onstart!",$ma_kw);
$ma_kw = eregi_replace("onerror","!onerror!",$ma_kw);
$ma_kw = eregi_replace("onabort","!onabort!",$ma_kw);
$ma_kw = eregi_replace("onblur","!onblur!",$ma_kw);
$ma_kw = eregi_replace("onchange","!onchange!",$ma_kw);
$ma_kw = eregi_replace("onclick","!onclick!",$ma_kw);
$ma_kw = eregi_replace("ondblclick","!ondblclick!",$ma_kw);
$ma_kw = eregi_replace("onfocus","!onfocus!",$ma_kw);
$ma_kw = eregi_replace("onkeydown","!onkeydown!",$ma_kw);
$ma_kw = eregi_replace("onkeypress","!onkeypress!",$ma_kw);
$ma_kw = eregi_replace("onkeyup","!onkeyup!",$ma_kw);
$ma_kw = eregi_replace("onmousedown","!onmousedown!",$ma_kw);
$ma_kw = eregi_replace("onmousemove","!onmousemove!",$ma_kw);
$ma_kw = eregi_replace("onmouseover","!onmouseover!",$ma_kw);
$ma_kw = eregi_replace("onmouseout","!onmouseout!",$ma_kw);
$ma_kw = eregi_replace("onmouseup","!onmouseup!",$ma_kw);
$ma_kw = eregi_replace("onreset","!onreset!",$ma_kw);
$ma_kw = eregi_replace("onselect","!onselect!",$ma_kw);
$ma_kw = eregi_replace("onsubmit","!onsubmit!",$ma_kw);
$ma_kw = eregi_replace("onunload","!onunload!",$ma_kw);
$ma_kw = eregi_replace("document.cookie","!document.cookie!",$ma_kw);
$ma_kw = eregi_replace("vbscript","!vbscript!",$ma_kw);
$ma_kw = eregi_replace("location","!location!",$ma_kw);
$ma_kw = eregi_replace("object","!object!",$ma_kw);
$ma_kw = eregi_replace("vbs","!vbs!",$ma_kw);
$ma_kw = eregi_replace("href","!href!",$ma_kw);
$vtp_p = new VTemplate;
$tpl_p = $vtp_p->Open("modules/pertinance/tpl/rapport.tpl");
$vtp_p->addSession($tpl_p,"rapport");
$vtp_p->setVar($tpl_p,"rapport.ma_kw",$ma_kw);
$vtp_p->setVar($tpl_p,"rapport.NbMotCle",$NbMotCle);
$vtp_p->setVar($tpl_p,"rapport.T3",$T3);
$vtp_p->setVar($tpl_p,"rapport.NbLiens",$NbLiens);
if(quel_groupe() == 4){
$sql = htmlentities($sql);
$sql = addslashes($sql);
$vtp_p->addSession($tpl_p,"sql");
$vtp_p->setVar($tpl_p,"sql.sql",$sql);
$vtp_p->closeSession($tpl_p,"sql");
}
$vtp_p->closeSession($tpl_p,"rapport");
$Raport = $vtp_p->Display($tpl_p,0);
####################################################################


VENDOR STATUS
________________________________________________________________________

The vendor has reportedly been notified. It currently develops a patch.


LINKS
________________________________________________________________________

http://www.security-corporation.com/index.php?id=advisories&a=010

http://www.security-corp.org/index.php?ink=4-15-1

-------------------------------------------------------------------------
Gr?gory Le Bras aka GaLiaRePt | http://www.Security-Corporation.com
-------------------------------------------------------------------------



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ