|
 |
| SecurityReason | ||
| WLB | ||
| RSS | ||
| Corporate | ||
| Services | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
| Details : SecurityAlert | ||||
 SecurityAlert : 3717 CVE : CVE-2003-1548 CVE : CVE-2003-1549 SecurityRisk : Low  (About) Remote Exploit : Yes Local Exploit : No Exploit Given : Yes Credit : Gregory LEBRAS Published : 06.03.2008
Advisory Text : ________________________________________________________________________ Security Corporation Security Advisory [SCSA-010] ________________________________________________________________________ PROGRAM: MyABraCaDaWeb HOMEPAGE: http://www.webmaster-mag.net/ VULNERABLE VERSIONS: v1.0.2 and prior ________________________________________________________________________ DESCRIPTION ________________________________________________________________________ MyABraCaDaWeb is an other Content Management Systems like PHP-Nuke More informations at : http://www.webmaster-mag.net/?module=pages@@myabracadaweb_pr (In French) DETAILS & EXPLOITS ________________________________________________________________________ ¤ Path Disclosure : Some vulnerabilities have been found in MyABraCaDaWeb which allow attackers to determine the physical path of the application. This vulnerability would allow a remote user to determine the full path to the web root directory and other potentially sensitive information. This vulnerability can be triggered by a remote user submitting a specially crafted HTTP request, such as a request for an invalid Admin ID. Exploits : http://[target]/index.php?IDAdmin=test http://[target]/index.php?base=test http://[target]/index.php?tampon=test http://[target]/index.php?SqlQuery=test etc... --------------------------------------- ¤ Cross Site Scripting : A Cross-Site Scripting vulnerability have been found in MyABraCaDaWeb which allow attackers to inject script codes into the search script and use them on clients browser as if they were provided by the site. This Cross-Site Scripting vulnerability are found in the page for searching keyword. An attacker can input specially crafted links and/or other malicious scripts. Exploit : http://[target]/index.php?module=pertinance&ma_ou=[modules]&ma_kw= [hostile_c ode] The module could be : "annuaire2liens" The hostile code could be : [script]alert("Cookie="+document.cookie)[/script] (open a window with the cookie of the visitor.) (replace [] by <>) Vulnerable code "header.php" : #################################################################### //---Creation du rapport $vtp_p = new VTemplate; $tpl_p = $vtp_p->Open("modules/pertinance/tpl/rapport.tpl"); $vtp_p->addSession($tpl_p,"rapport"); $vtp_p->setVar($tpl_p,"rapport.ma_kw",$ma_kw); $vtp_p->setVar($tpl_p,"rapport.NbMotCle",$NbMotCle); $vtp_p->setVar($tpl_p,"rapport.T3",$T3); $vtp_p->setVar($tpl_p,"rapport.NbLiens",$NbLiens); if(quel_groupe() == 4){ $sql = htmlentities($sql); $sql = addslashes($sql); $vtp_p->addSession($tpl_p,"sql"); $vtp_p->setVar($tpl_p,"sql.sql",$sql); $vtp_p->closeSession($tpl_p,"sql"); } $vtp_p->closeSession($tpl_p,"rapport"); $Raport = $vtp_p->Display($tpl_p,0); #################################################################### SOLUTIONS ________________________________________________________________________ ¤ Path Disclosure : No solution for the moment. ¤ Cross Site Scripting : You can found a patch at the following link : http://www.security- corporation.com/download/patch/MyABraCaDaWebv1.0.2XSSpat ch.zip For example use this code in "header.php": #################################################################### //---Creation du rapport # BugFix by Gregory LEBRAS www.security-corporation.com $ma_kw = eregi_replace("content-disposition:","!content-disposition:!",$ma_kw); $ma_kw = eregi_replace("include","!include!",$ma_kw); $ma_kw = eregi_replace("<?","<.?",$ma_kw); $ma_kw = eregi_replace("?php",".?php",$ma_kw); $ma_kw = eregi_replace("?>","?.>",$ma_kw); $ma_kw = eregi_replace("<script>","<.script>",$ma_kw); $ma_kw = eregi_replace("</script>","<./script>",$ma_kw); $ma_kw = eregi_replace("javascript","!javascript!",$ma_kw); $ma_kw = eregi_replace("embed","!embed!",$ma_kw); $ma_kw = eregi_replace("iframe","!iframe!",$ma_kw); $ma_kw = eregi_replace("refresh","!refresh!",$ma_kw); $ma_kw = eregi_replace("onload","!onload!",$ma_kw); $ma_kw = eregi_replace("onstart","!onstart!",$ma_kw); $ma_kw = eregi_replace("onerror","!onerror!",$ma_kw); $ma_kw = eregi_replace("onabort","!onabort!",$ma_kw); $ma_kw = eregi_replace("onblur","!onblur!",$ma_kw); $ma_kw = eregi_replace("onchange","!onchange!",$ma_kw); $ma_kw = eregi_replace("onclick","!onclick!",$ma_kw); $ma_kw = eregi_replace("ondblclick","!ondblclick!",$ma_kw); $ma_kw = eregi_replace("onfocus","!onfocus!",$ma_kw); $ma_kw = eregi_replace("onkeydown","!onkeydown!",$ma_kw); $ma_kw = eregi_replace("onkeypress","!onkeypress!",$ma_kw); $ma_kw = eregi_replace("onkeyup","!onkeyup!",$ma_kw); $ma_kw = eregi_replace("onmousedown","!onmousedown!",$ma_kw); $ma_kw = eregi_replace("onmousemove","!onmousemove!",$ma_kw); $ma_kw = eregi_replace("onmouseover","!onmouseover!",$ma_kw); $ma_kw = eregi_replace("onmouseout","!onmouseout!",$ma_kw); $ma_kw = eregi_replace("onmouseup","!onmouseup!",$ma_kw); $ma_kw = eregi_replace("onreset","!onreset!",$ma_kw); $ma_kw = eregi_replace("onselect","!onselect!",$ma_kw); $ma_kw = eregi_replace("onsubmit","!onsubmit!",$ma_kw); $ma_kw = eregi_replace("onunload","!onunload!",$ma_kw); $ma_kw = eregi_replace("document.cookie","!document.cookie!",$ma_kw); $ma_kw = eregi_replace("vbscript","!vbscript!",$ma_kw); $ma_kw = eregi_replace("location","!location!",$ma_kw); $ma_kw = eregi_replace("object","!object!",$ma_kw); $ma_kw = eregi_replace("vbs","!vbs!",$ma_kw); $ma_kw = eregi_replace("href","!href!",$ma_kw); $vtp_p = new VTemplate; $tpl_p = $vtp_p->Open("modules/pertinance/tpl/rapport.tpl"); $vtp_p->addSession($tpl_p,"rapport"); $vtp_p->setVar($tpl_p,"rapport.ma_kw",$ma_kw); $vtp_p->setVar($tpl_p,"rapport.NbMotCle",$NbMotCle); $vtp_p->setVar($tpl_p,"rapport.T3",$T3); $vtp_p->setVar($tpl_p,"rapport.NbLiens",$NbLiens); if(quel_groupe() == 4){ $sql = htmlentities($sql); $sql = addslashes($sql); $vtp_p->addSession($tpl_p,"sql"); $vtp_p->setVar($tpl_p,"sql.sql",$sql); $vtp_p->closeSession($tpl_p,"sql"); } $vtp_p->closeSession($tpl_p,"rapport"); $Raport = $vtp_p->Display($tpl_p,0); #################################################################### VENDOR STATUS ________________________________________________________________________ The vendor has reportedly been notified. It currently develops a patch. LINKS ________________________________________________________________________ http://www.security-corporation.com/index.php?id=advisories&a=010 http://www.security-corp.org/index.php?ink=4-15-1 ------------------------------------------------------------------------ - Grégory Le Bras aka GaLiaRePt | http://www.Security-Corporation.com ------------------------------------------------------------------------ - Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
*BSD libc (strfmon) Multiple vulnerabilities
Maksymilian Arciemowicz discovered a Integer Overflow vulnerability in the libc library "strfmon()" function.A vulnerability could allow an attacker who successfully exploits this vulnerability to take control of the affected *BSD systems. |
||
| Apache |  |
|
» Apache Tomcat <= |
||
| PHP | |
|
» PHP 5.2.5 and prior : |
||
- 2008-03-25| Copyright © SecurityReason. All Rights Reserved. |