Jaws Errors Let Remote Users View Files and Gain Administrative Access
SecurityTracker Alert ID: 1010651|
SecurityTracker URL: http://securitytracker.com/id/1010651
(Links to External Site)
Date: Jul 6 2004
Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Several vulnerabilities were reported in Jaws. A remote user can gain administrative access. A remote user can view files on the target system. A remote user can also determine the installation path and conduct cross-site scripting attacks.|
Fernando Quintero reported that a remote user can gain administrative access on the target application due to a logic error in the logged_on() function. A remote user can reportedly set a specially crafted cookie value set to the MD5 hash of a null value to gain access via 'admin.php', the report said.
It is also reported that a remote user can traverse the directory to view arbitrary files on the target system with the privileges of the web service. A demonstration exploit URL is provided:
It is also reported that a remote user can determine the installation path by invoking the following type of URL with a path value that does not exist on the target server:
A remote user can also attempt to directly load files in the include directory to cause the system to display the installation path. A demonstration exploit example is provided:
It is also reported that the software does not filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Jaws software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
http://127.0.0.1/jaws/index.php?gadget=[a valid gadget]&action=<b>bold letter</b>
http://127.0.0.1/jaws/index.php?gadget=[a valid gadget]&action=<script>alert('Colombia Rulx!!');</script>
A remote user can gain administrative access on the application.|
A remote user can view files on the target system with the privileges of the web service.
A remote user can determine the installation path.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Jaws software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
The vendor has issued a fix for version 0.3. To fix this issue, the vendor indicates that you should replace your 'index.php' file with this:|
Vendor URL: www.jaws.com.mx/ (Links to External Site)
Access control error, Authentication error, Input validation error|
|Underlying OS: Linux (Any), UNIX (Any), Windows (Any)|
Source Message Contents
Subject: [Full-Disclosure] Multiples vulnerabilities in JAWS|
//// Vulnerable Program: JAWS
//// Version : 0.3 ; it's BETA probably ;)
//// Url: http://www.jaws.com.mx
//// The Bug: Multiples vulnerabilities
//// Date: Today, July 5 off 2004
//// Author: Fernando Quintero (a.k.a nonroot)
//// Email: email@example.com
I. Affected software description:
Jaws is a Framework and Content Management System for building dynamic
It aims to be User Friendly giving ease of use and lots of ways to
customize web sites,
but at the same time is Developer Frendly, it offers a simple and
powerful framework to hack
your own modules. Jaws is Free Software under the GPL.
note: to hack your own modules, to hack your own modules, to hack your
own modules... ;)
There are some vulnerabilities in the jaws code, it's were fixed quickly
by your main coder.
1) Full path disclosure ...
There are many ways to determine the full path to the web root directory:
Specifying a variable path, that does not exist.
b) function jaws_error($text, $file, $line)
print ("<b style=\"color: #f00;\" JAWS
The jaws_error() function, it returns the line and the full path to
the name of the file.
Trying to open some file in the include directory.
2) Arbitrary file browsing.
We can acceded to the file's content through the variable gadget.
This line show us the passwd file.
The use of the "path" variable is irrelevant, in the code can be seen a
$path= str_replace ("..","",$path) --> at this way we filter the content
of path, but in the
index.php file the "gadget" variable is not filter.
The "%00" is necessary because the script adds at the end of the name of
"gadget" variable the extencion ".php"
3) XSS (the fashionable word)
Cross site scripting in the variable action, because it script returns
the content of the variable:
http://127.0.0.1/jaws/index.php?gadget=[a valid gadget]&action=<b>bold
In the index.php the vulnerable code is:
jaws_error ("Invalid operation: You can't display this action
where "$go_gadget->action" content the erroneus action.
4) Validation without a password :)
There exist a way that allow us to get in the control panel with
administrator rights without a password.
The admin.php file have:
control panel code...
The logged_on() function is in the application.php file.
The function's code.
return (md5($_SESSION["logged"]) ==$_COOKIE["logged"]);
Is extrange to see this type of validation but there is!.
The $_SESSION["logged"] variable before entering the Control Panel it has
a Null ("") value.
a possible way to exploit it should be:
Where "d41d8cd98f00b204e9800998ecf8427e" is the MD5 hash for the NULL value
This way we can create a cookie ( that look like from the remote system)
and then try the Url:
and we will be inside.
The main coder was contacted and the code was fixed in the cvs ;).
- Greets to GIGAX people.
- Greets All the community. I learn of you!
VI. Final words
- Sorry by the english and !!! Viva Colombia !!!!!!!!
Full-Disclosure - We believe in it.
Go to the Top of This SecurityTracker Archive Page