lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <200912291358.nBTDwGcw018390@CA-IX-1.intnet>
Date: Tue, 29 Dec 2009 14:58:16 +0100
From: Secunia Research <remove-vuln@...unia.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Secunia Research: AproxEngine Multiple
	Vulnerabilities

====================================================================== 

                     Secunia Research 29/12/2009

              - AproxEngine Multiple Vulnerabilities -

====================================================================== 
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10

====================================================================== 
1) Affected Software 

* AproxEngine 5.3.04
* AproxEngine 6.0

NOTE: Other versions may also be affected.

====================================================================== 
2) Severity 

Rating: Moderately critical
Impact: SQL Injection
        Cross-Site Scripting
        Manipulation of Data
        Spoofing
Where:  Remote

====================================================================== 
3) Vendor's Description of Software 

"Die APROXEngine ist ein von uns entwickeltes Content-Management-
System(CMS). Einfach gesagt, ist ein CMS ein Baukastensystem zur 
Erstellung, Wartung, Verwaltung von Internetseiten."

Product Link:
http://www.aprox.de/

====================================================================== 
4) Description of Vulnerability

Secunia Research has discovered some vulnerabilities in AproxEngine, 
which can be exploited by malicious users to manipulate certain data, 
conduct spoofing, SQL injection, and script insertion attacks and by 
malicious people to conduct SQL injection and script insertion 
attacks.

1) Input passed via the "login" parameter to index.php is not properly
sanitised before being used in an SQL query. This can be exploited to 
manipulate SQL queries by injecting arbitrary SQL code.

2) Input passed via the "login" and "password" parameters to index.php
is not properly sanitised before being displayed to the user. This can
be exploited to insert arbitrary HTML and script code, which will be 
executed in a user's browser session in context of an affected site 
when the malicious data is being viewed.

3) Input passed via the "art" parameter to index.php is not properly 
sanitised before being used in an SQL query. This can be exploited to 
manipulate SQL queries by injecting arbitrary SQL code.

4) Input passed via the "Referer" HTTP header to index.php is not 
properly sanitised before being used in an SQL query. This can be 
exploited to manipulate SQL queries by injecting arbitrary SQL code.

5) Input passed to the "datei" parameter in /engine/inc/
galerie_unlink.php is not properly verified before being used to 
delete image files. This can be exploited to delete arbitrary files 
via directory traversal attacks.

Successful exploitation of this vulnerability requires administrative 
privileges.

6) Input passed to the "del_verz" parameter in /engine/inc/
galerie_del_verz.php is not properly verified before being used to 
delete galleries. This can be exploited to delete arbitrary 
directories via directory traversal attacks.

Successful exploitation of this vulnerability requires administrative 
privileges.

7) Input passed via the "from" parameter to index.php (when "page" is 
set to "sql_postfach" and "action" is set to "new") is not properly 
verified before being used to send mails to users. This can be 
exploited to e.g. spoof mails from the administrator.

8) Input passed via the "to", "betreff", and "elm1" parameters to 
index.php (when "page" is set to "sql_postfach" and "action" is set to 
"new") is not properly sanitised before being used in an SQL query. 
This can be exploited to manipulate SQL queries by injecting arbitrary 
SQL code.

9) Input passed via various parameters to index.php (when "page" is 
set to "sql_profil" and "action" is set to "list") is not properly 
sanitised before being used in an SQL query. This can be exploited to 
manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation of this vulnerability on version 6.0 requires 
administrative privileges.

10) Input passed via the "generator", "author", "description", and 
"keywords" parameters to index.php (when "page" is set to 
"user_html_ed" and "action" is set to "open") is not properly 
sanitised before being used in an SQL query. This can be exploited to 
manipulate SQL queries by injecting arbitrary SQL code.

11) Input passed via the "generator", "author", "description", and 
"keywords" parameters to index.php (when "page" is set to 
"user_html_ed" and "action" is set to "open") is not properly 
sanitised before being displayed to the user. This can be exploited 
to insert arbitrary HTML and script code, which will be executed in a
user's browser session in context of an affected site when the 
malicious data is being viewed.

12) Input passed via the "mail" parameter to index.php (when "page" is 
set to "sql_profil" and "action" is set to "list") is not properly 
sanitised before being displayed to the user. This can be exploited to 
insert arbitrary HTML and script code, which will be executed in a 
user's browser session in context of an affected site when the 
malicious data is being viewed.

Successful exploitation of this vulnerability on version 6.0 requires 
administrative privileges.

13) Input passed via the "betreff" parameter to index.php (when "page" 
is set to "sql_postfach" and "action" is set to "new") is not properly 
sanitised before being displayed to the user. This can be exploited to 
insert arbitrary HTML and script code, which will be executed in a 
user's browser session in context of an affected site when the 
malicious data is being viewed.

The vulnerabilities are confirmed in versions 5.3.04 and 6.0. Other
versions may also be affected.

NOTE: Successful exploitation of all vulnerabilities except #5 and #6 
requires that "magic_quotes_gpc" is disabled.

====================================================================== 
5) Solution 

Ensure that "magic_quotes_gpc" is enabled and grant only trusted users
administrative access to the application.

====================================================================== 
6) Time Table 

04/12/2009 - Vendor notified.
23/12/2009 - Vendor notified again (2nd attempt).
29/12/2009 - Public disclosure.

====================================================================== 
7) Credits 

Discovered by Chaitanya Sharma, Secunia.

====================================================================== 
8) References

The Common Vulnerabilities and Exposures (CVE) project has not 
currently assigned any CVE identifiers for these vulnerabilities.

====================================================================== 
9) About Secunia

Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:

http://secunia.com/advisories/business_solutions/

Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private 
individuals, who are interested in or concerned about IT-security.

http://secunia.com/advisories/

Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the 
security and reliability of software in general:

http://secunia.com/secunia_research/

Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:

http://secunia.com/corporate/jobs/

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/advisories/mailing_lists/

====================================================================== 
10) Verification 

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2009-2/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ