Path Disclosure & Cross Site Scripting Vulnerability in MyABraCaDaWeb

2008.03.06
Credit: Gregory LEBRAS
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2003-1548 | CVE-2003-1549
CWE: CWE-79

________________________________________________________________________ Security Corporation Security Advisory [SCSA-010] ________________________________________________________________________ PROGRAM: MyABraCaDaWeb HOMEPAGE: http://www.webmaster-mag.net/ VULNERABLE VERSIONS: v1.0.2 and prior ________________________________________________________________________ DESCRIPTION ________________________________________________________________________ MyABraCaDaWeb is an other Content Management Systems like PHP-Nuke More informations at : http://www.webmaster-mag.net/?module=pages@@myabracadaweb_pr (In French) DETAILS & EXPLOITS ________________________________________________________________________ Path Disclosure : Some vulnerabilities have been found in MyABraCaDaWeb which allow attackers to determine the physical path of the application. This vulnerability would allow a remote user to determine the full path to the web root directory and other potentially sensitive information. This vulnerability can be triggered by a remote user submitting a specially crafted HTTP request, such as a request for an invalid Admin ID. Exploits : http://[target]/index.php?IDAdmin=test http://[target]/index.php?base=test http://[target]/index.php?tampon=test http://[target]/index.php?SqlQuery=test etc... --------------------------------------- Cross Site Scripting : A Cross-Site Scripting vulnerability have been found in MyABraCaDaWeb which allow attackers to inject script codes into the search script and use them on clients browser as if they were provided by the site. This Cross-Site Scripting vulnerability are found in the page for searching keyword. An attacker can input specially crafted links and/or other malicious scripts. Exploit : http://[target]/index.php?module=pertinance&ma_ou=[modules]&ma_kw= [hostile_c ode] The module could be : "annuaire2liens" The hostile code could be : [script]alert("Cookie="+document.cookie)[/script] (open a window with the cookie of the visitor.) (replace [] by <>) Vulnerable code "header.php" : #################################################################### //---Creation du rapport $vtp_p = new VTemplate; $tpl_p = $vtp_p->Open("modules/pertinance/tpl/rapport.tpl"); $vtp_p->addSession($tpl_p,"rapport"); $vtp_p->setVar($tpl_p,"rapport.ma_kw",$ma_kw); $vtp_p->setVar($tpl_p,"rapport.NbMotCle",$NbMotCle); $vtp_p->setVar($tpl_p,"rapport.T3",$T3); $vtp_p->setVar($tpl_p,"rapport.NbLiens",$NbLiens); if(quel_groupe() == 4){ $sql = htmlentities($sql); $sql = addslashes($sql); $vtp_p->addSession($tpl_p,"sql"); $vtp_p->setVar($tpl_p,"sql.sql",$sql); $vtp_p->closeSession($tpl_p,"sql"); } $vtp_p->closeSession($tpl_p,"rapport"); $Raport = $vtp_p->Display($tpl_p,0); #################################################################### SOLUTIONS ________________________________________________________________________ Path Disclosure : No solution for the moment. Cross Site Scripting : You can found a patch at the following link : http://www.security- corporation.com/download/patch/MyABraCaDaWebv1.0.2XSSpat ch.zip For example use this code in "header.php": #################################################################### //---Creation du rapport # BugFix by Gregory LEBRAS www.security-corporation.com $ma_kw = eregi_replace("content-disposition:","!content-disposition:!",$ma_kw); $ma_kw = eregi_replace("include","!include!",$ma_kw); $ma_kw = eregi_replace("\<\?","<.?",$ma_kw); $ma_kw = eregi_replace("\?\p\h\p",".?php",$ma_kw); $ma_kw = eregi_replace("\?\>","?.>",$ma_kw); $ma_kw = eregi_replace("<script>","<.script>",$ma_kw); $ma_kw = eregi_replace("</script>","<./script>",$ma_kw); $ma_kw = eregi_replace("javascript","!javascript!",$ma_kw); $ma_kw = eregi_replace("embed","!embed!",$ma_kw); $ma_kw = eregi_replace("iframe","!iframe!",$ma_kw); $ma_kw = eregi_replace("refresh","!refresh!",$ma_kw); $ma_kw = eregi_replace("onload","!onload!",$ma_kw); $ma_kw = eregi_replace("onstart","!onstart!",$ma_kw); $ma_kw = eregi_replace("onerror","!onerror!",$ma_kw); $ma_kw = eregi_replace("onabort","!onabort!",$ma_kw); $ma_kw = eregi_replace("onblur","!onblur!",$ma_kw); $ma_kw = eregi_replace("onchange","!onchange!",$ma_kw); $ma_kw = eregi_replace("onclick","!onclick!",$ma_kw); $ma_kw = eregi_replace("ondblclick","!ondblclick!",$ma_kw); $ma_kw = eregi_replace("onfocus","!onfocus!",$ma_kw); $ma_kw = eregi_replace("onkeydown","!onkeydown!",$ma_kw); $ma_kw = eregi_replace("onkeypress","!onkeypress!",$ma_kw); $ma_kw = eregi_replace("onkeyup","!onkeyup!",$ma_kw); $ma_kw = eregi_replace("onmousedown","!onmousedown!",$ma_kw); $ma_kw = eregi_replace("onmousemove","!onmousemove!",$ma_kw); $ma_kw = eregi_replace("onmouseover","!onmouseover!",$ma_kw); $ma_kw = eregi_replace("onmouseout","!onmouseout!",$ma_kw); $ma_kw = eregi_replace("onmouseup","!onmouseup!",$ma_kw); $ma_kw = eregi_replace("onreset","!onreset!",$ma_kw); $ma_kw = eregi_replace("onselect","!onselect!",$ma_kw); $ma_kw = eregi_replace("onsubmit","!onsubmit!",$ma_kw); $ma_kw = eregi_replace("onunload","!onunload!",$ma_kw); $ma_kw = eregi_replace("document.cookie","!document.cookie!",$ma_kw); $ma_kw = eregi_replace("vbscript","!vbscript!",$ma_kw); $ma_kw = eregi_replace("location","!location!",$ma_kw); $ma_kw = eregi_replace("object","!object!",$ma_kw); $ma_kw = eregi_replace("vbs","!vbs!",$ma_kw); $ma_kw = eregi_replace("href","!href!",$ma_kw); $vtp_p = new VTemplate; $tpl_p = $vtp_p->Open("modules/pertinance/tpl/rapport.tpl"); $vtp_p->addSession($tpl_p,"rapport"); $vtp_p->setVar($tpl_p,"rapport.ma_kw",$ma_kw); $vtp_p->setVar($tpl_p,"rapport.NbMotCle",$NbMotCle); $vtp_p->setVar($tpl_p,"rapport.T3",$T3); $vtp_p->setVar($tpl_p,"rapport.NbLiens",$NbLiens); if(quel_groupe() == 4){ $sql = htmlentities($sql); $sql = addslashes($sql); $vtp_p->addSession($tpl_p,"sql"); $vtp_p->setVar($tpl_p,"sql.sql",$sql); $vtp_p->closeSession($tpl_p,"sql"); } $vtp_p->closeSession($tpl_p,"rapport"); $Raport = $vtp_p->Display($tpl_p,0); #################################################################### VENDOR STATUS ________________________________________________________________________ The vendor has reportedly been notified. It currently develops a patch. LINKS ________________________________________________________________________ http://www.security-corporation.com/index.php?id=advisories&a=010 http://www.security-corp.org/index.php?ink=4-15-1 ------------------------------------------------------------------------ - Grgory Le Bras aka GaLiaRePt | http://www.Security-Corporation.com ------------------------------------------------------------------------ -


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top