------------------------------------------------------------------------
----
Various Vulnerabilities in OWL Intranet Engine
------------------------------------------------------------------------
----
Author: Jose Antonio Coret (Joxean Koret)
Date: 2004
Location: Basque Country
OWL 0.7 and 0.8 - Owl is a multi user document repository
(knowledgebase)
system written in PHP4 for publishing files/documents onto the web for
a
corporation, small business, group of people, or just for yourself.
The information in this advisory and any of its demonstrations is
provided
"as is" without any warranty of any kind.
I am not liable for any direct or indirect damages caused as a result of
using the information or demonstrations provided in any part of this
advisory.
----
Various Vulnerabilities in OWL Intranet Engine
------------------------------------------------------------------------
----
Author: Jose Antonio Coret (Joxean Koret)
Date: 2004
Location: Basque Country
------------------------------------------------------------------------
---
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
OWL 0.7 and 0.8 - Owl is a multi user document repository
(knowledgebase)
system written in PHP4 for publishing files/documents onto the web for
a
corporation, small business, group of people, or just for yourself.
Web : http://owl.sourceforge.net/
------------------------------------------------------------------------
---
Vulnerabilities:
~~~~~~~~~~~~~~~~
A. Cross Site Scripting Vulnerabilities
A1. In the script browser various parameters, that are used to write the
html code, not are verified.
Test URLS :
http://<site-with-owl>/intranet/browse.php?sess=<replace-with-a-valid-se
ssion-id>&parent=115&expand=1'><script>alert(document.location)</script>
&order=creatorid&sortposted=DESC
http://<site-with-owl>/intranet/browse.php?sess=<replace-with-a-valid-se
ssion-id>&parent=115&expand=1&order=creatorid'><script>alert(document.lo
cation)</script>&sortposted=DESC
B. SQL Injection Vulnerabilities
B1. In the browser.php script the following parameters are vulnerables
to an
SQL Injection attacks.
Test URLS :
http://<site-with-owl>/intranet/browse.php?sess=<replace-with-a-valid-se
ssion-id>&parent=104[SQL%20INJECTION]&expand=1&order=creatorid&sortposte
d=DESC
http://<site-with-owl>/intranet/browse.php?sess=<replace-with-a-valid-se
ssion-id>&parent=104&expand=1&order=creatorid&sortposted=DESC[SQL%20INJE
CTION]
The fix:
~~~~~~~~
All problems are fixed in the CVS.
Disclaimer:
~~~~~~~~~~~
The information in this advisory and any of its demonstrations is
provided
"as is" without any warranty of any kind.
I am not liable for any direct or indirect damages caused as a result of
using the information or demonstrations provided in any part of this
advisory.
------------------------------------------------------------------------
---
Contact:
~~~~~~~~
Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es
[ reply ]