Back to list
[InterN0T] SkyBlueCanvas 1.1 r237 - Multiple Vulnerabilities
Jun 12 2009 07:13PM
security intern0t net
SkyBlueCanvas - XSS and Path Content Disclosure Vulnerabilities
Version Affected: 1.1 r237 (newest version: 1.1 r246)
Info: SkyBlueCanvas Lightweight CMS is an open source, free content management system written in php and built specifically for small web sites. The entire site you are viewing is a demonstration of the SkyBlueCanvas lightweight CMS. SkyBlueCanvas is custom-built for those instances when more robust systems like Joomla, WordPress and Drupal are too much horsepower.
-:: The Advisory ::-
Vulnerable Function / ID Calls:
mgroup, mgr, objtype, id & dir.
Cross Site Scripting: (requires administrator access - will not survive a login screen)
http://[HOST]/skybluecanvas/admin.php?mgroup=" onmouseover=alert(0) > &mgr=email&objtype=email&sub=viewemail&id=2
http://[HOST]/skybluecanvas/admin.php?mgroup=collections&mgr=" onmouseover=alert(0) > &com=manager
Impossible XSS: (XML errors or hidden tags preventing use of event handlers.)
&sub=editpage&id=" onfocus=alert(0) >
Path Content Disclosure: (requires admin privileges)
-- This was done in a folder where /skybluecanvas was located in: /var/www/somesite.tld/awebdir/skybluecanvas/
--=-- In the above, if One goes to a folder with many subdirectories the above will fail due to a memory allocation flaw.
Path Disclosure: (requires admin privileges)
-:: Solution ::-
Filter event handlers out from function calls.
Pretty secure system overall but if One is a little inventive, then the above issues might be exploitable.
- Vulnerabilities found, researched and confirmed between 5th to 10th June.
- Advisory finished and published on InterN0T the 12th June.
- Vendor and Buqtraq (SecurityFocus) contacted the 12th June.
All of the best,
[ reply ]
Copyright 2010, SecurityFocus