2z-project Multiple Security Vulnerabilities Dec 28 2007 01:26PM
Digital Security Research Group [DSecRG] (research dsec ru)

Digital Security Research Group [DSecRG] Advisory

Name: 2z project
Systems Affected: 2z project
Vendor URL: http://2z-project.ru
Authors: Alexandr Polyakov, Stas Svistunovich
Digital Security Reasearch Group [DSecRG] (research [at] dsec [dot] ru)
Reported: 27.12.2007
Vendor response: 27.12.2007
Date of Public Advisory: 28.12.2007


2z system has multiple security vulnerabilities:

1. Stored XSS
2. Linked XSS
3. Image XSS
4. Path disclosure
5. Vulnerable Password changing algorithm


1. Multiple Stored XSS

1.1 Vulnerability in script http://[server]/[installdir]/?action=addnews in post parameters:

parameter name = contentshort
parameter name = contentfull


contentshort=<script>alert('DSecRG XSS')</script>
contentfull=<script>alert('DSecRG XSS')</script>

1.2 Vulnerability in script http://[server]/[installdir]/2z/admin.php?mod=pm&action=write

parameter name = content


content=<script>alert('DSecRG XSS')</script>


2. Linked XSS Vulnerability in page index.php.
Working only if user not logged in. So it can be used for Phishing (see Example).

Template /templates/default/usermenu.tpl have vulnetability parameter "referer".
This template included to index.php, so it can be used for Phishing.

Source code of usermenu.tpl:
<form name="login" method="post" action="" id="login">
<input type="hidden" name="referer" value="{request_uri}" /> <-- html code injected into {request_uri}
<input type="hidden" name="action" value="dologin" />
<input onfocus="if (!set_login){set_login=1;this.value='';}" value="{l_name}" class="mw_login_form" type="text" name="username" maxlength="60" size="25" />
<input onfocus="if(!set_pass){set_pass=1;this.value='';}" value="{l_password}" class="mw_login_form" type="password" name="password" maxlength="20" size="25" />




3. Image XSS Vulnetability in page /2z/?action=profile

Attacker can upload avatar and photo contained a XSS code.

Vulnerable parameters: newavatar, newphoto

For more information see http://www.dsec.ru/about/articles/web_xss/ (in russian)


4. Path disclosure

By exploiting this issue, an attacker may gain sensitive information on the directory
structure of the server machine, which allows for further attacks against the site.




5. Password changing vulnerabiluity

Old password not needed to change password.



Digital Security is leading IT security company in Russia, providing information
security consulting, audit and penetration testing services, risk analysis and
ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards.
Digital Security Research Group focuses on web application and database security
problems with vulnerability reports, advisories and whitepapers posted regularly
on our website.

Contact: research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus