SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   SchoolAlumni Portal Vendors:   alumniportal.sourceforge.net
SchoolAlumni Portal Input Validation Hole Permits Cross-Site Scripting Attacks and Include File Bug Lets Remote Users Execute Local PHP Code
SecurityTracker Alert ID:  1017105
SecurityTracker URL:  http://securitytracker.com/id/1017105
CVE Reference:   CVE-2006-5528, CVE-2006-5529   (Links to External Site)
Updated:  Jun 2 2008
Original Entry Date:  Oct 23 2006
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): 2.26
Description:   MP reported a vulnerability in SchoolAlumni Portal. A remote user can include and execute arbitrary code on the target system. A remote user can conduct cross-site scripting attacks.

The 'mod.php' script does not properly validate user-supplied input in the 'mod' parameter. A remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from files located on the target system. The PHP code, including operating system commands, will run with the privileges of the target web service.

A demonstration exploit URL is provided:

/mod.php?mod=../../../../../../../../../../../../../etc/passwd%00

The 'katalog.php' script does not properly filter HTML code from user-supplied input in the 'query' parameter before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the SchoolAlumni Portal software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

/smumdadotcom_ascyb_alumni/mod.php?mod=katalog&op=search&query=%3Cscript%3Ealert('XSS')%3C/script%3E

Impact:   A remote user can execute PHP code from files located on the target system. The code will run with the privileges of the target web service.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the SchoolAlumni Portal software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:   No solution was available at the time of this entry.
Vendor URL:  sourceforge.net/projects/alumniportal/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Local File Include|XSS Vulnerabilit [ SchoolAlumni Portal <= ver 4- Beta ]

## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ##
#                                                               #
#           [ SchoolAlumni Portal <=  ver 4- Beta ]             #
#                                                                
# Class:     Local File Include|XSS Vulnerability               #
# Patch:     Unavailable                                        #
# Published  2006/10/20                                         #
# Remote:    Yes                                                
# Local:     No                            #
# Type:      High                                               #
# Site:      http://sourceforge.net/projects/alumniportal/      #
# Author:    MP
# Contact:   mp01010@yahoo.com                    #
#                                #
#################################################################

# Vuln 1.0
Vuln Code: (smumdadotcom_ascyb_alumni/mod.php):
<?php

include("./mod/$mod/index.php");

?>

Vuln:
/mod.php?mod=../../../../../../../../../../../../../etc/passwd%00

# Vuln 2.0
Vuln Code: (/mod/katalog/katalog.php):
function SearchForm()
{
        echo "
        <form action=\"mod.php?mod=katalog&amp;op=search&amp;query=$query\" method=\"post\">
        <table border=\"0\" cellspacing=\"0\" cellpadding=\"0\" align=\"center\">
        <tr><td class=\"type5\">
                <input type=\"text\" size=\"30\" maxlength=\"200\" name=\"query\" />
                <input type=\"submit\" value=\"Search\" /><br />
        </td></tr>
        </table>
        </form>";
}

Vuln: <script>alert('XSS')</script>
/smumdadotcom_ascyb_alumni/mod.php?mod=katalog&op=search&query=%3Cscript%3Ealert('XSS')%3C/script%3E

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC