SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   SixCMS Vendors:   Six Offene Systeme
SixCMS Input Validation Holes Permit Cross-Site Scripting and Directory Traversal Attacks
SecurityTracker Alert ID:  1016282
SecurityTracker URL:  http://securitytracker.com/id/1016282
CVE Reference:   CVE-2006-3050, CVE-2006-3051   (Links to External Site)
Updated:  Jun 20 2006
Original Entry Date:  Jun 13 2006
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 6 and prior versions
Description:   David 'Aesthetico' Vieira-Kurz of MajorSecurity reported a vulnerability in SixCMS. A remote user can conduct cross-site scripting attacks. A remote user can view files on the target system.

The 'detail.php' script does not properly validate user-supplied input in the 'template' parameter. A remote user can supply a specially crafted request containing '../' directory traversal characters to view files on target system that are located outside of the document directory.

A demonstration exploit URL is provided:

/detail.php?template=../../../../../../etc/passwd%00

The 'list.php' script does not properly filter HTML code from user-supplied input in the 'page' parameter before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the SixCMS software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

/list.php?page=<script>alert("MajorSecurity")</script>

The original advisory is available at:

http://www.majorsecurity.de/advisory/major_rls17.txt

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the SixCMS software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can view files on the target system.

Solution:   The vendor has issued a fixed version (6.0.6patch2), available from the vendor's support site.
Vendor URL:  www.six.de/de/produkte/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [MajorSecurity #17] SixCMS <= 6 - Multiple XSS and directory

[MajorSecurity #17] SixCMS <= 6 - Multiple XSS and directory traversal
vulnerabilities
----------------------------------------------

Software: SixCMS

Version: <=6

Type: Cross site scripting

Date: June, 12th 2006

Vendor: Six Offene Systeme GmbH

Page: http://www.sixcms.de


Credits:
----------------------------------------------

Discovered by: David "Aesthetico" Vieira-Kurz
http://www.majorsecurity.de

Original Advisory:
----------------------------------------------
http://www.majorsecurity.de/advisory/major_rls17.txt

Affected Products:
----------------------------------------------

SixCMS 6 and prior

Description:
----------------------------------------------

SixCMS is a well known and commercial enterprise Content Management System.

Requirements:
----------------------------------------------

register_globals = On

Vulnerability:
----------------------------------------------

Input passed to the "template" parameter in "detail.php" is not
properly verified, before it is used to execute the given arguments.

Acquiring access to known files outside of the web root and current directory
is possible through directory traversal techniques.
This is made possible through the use of "../../" in a HTTP request.

Input passes to the "page" parameter in "list.php" is not properly sanitised,
before it is used to execute the given arguments.
This can be exploited to execute arbitrary HTML and script code in context of an
affected site.


Solution:
----------------------------------------------
Edit the source code to ensure that input is properly sanitised.
You should work with "htmlspecialchars()" or "strip_tags()" php-function to
ensure that html tags
are not going to be executed.

Example:
<?php
  echo htmlspecialchars("<script");
?>

Set "register_globals" to "Off".

Examples:
----------------------------------------------
/detail.php?template=../../../../../../etc/passwd%00
/list.php?page=<script>alert("MajorSecurity")</script>
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC