[Full-Disclosure] [SCSA-020] Multiple vulnerabilities in AttilaPHP

From: Gregory LEBRAS (gregory.lebras_at_security-corporation.com)
Date: 08/18/03

  • Next message: henry j. mason: "Re: [Full-Disclosure] Blaster Side Affect?"
    To: "Full Disclosure Mailing List" <full-disclosure@lists.netsys.com>
    Date: Mon, 18 Aug 2003 14:06:40 +0200
    
    

    ======================================================================
    Security Corporation Security Advisory [SCSA-020]

    Multiple vulnerabilities in AttilaPHP
    ======================================================================

    PROGRAM: AttilaPHP
    HOMEPAGE: http://www.attila-php.net
    VULNERABLE VERSIONS: 3.0 and prior ?
    RISK: Low/Medium
    IMPACT: Cross Site Scripting
    Script Injection
    Path Disclosure
    RELEASE DATE: 2003-08-18

    ======================================================================
    TABLE OF CONTENTS
    ======================================================================

    1..........................................................DESCRIPTION
    2..............................................................DETAILS
    3.............................................................EXPLOITS
    4............................................................SOLUTIONS
    5...........................................................WORKAROUND
    6..................................................DISCLOSURE TIMELINE
    7..............................................................CREDITS
    8...........................................................DISCLAIMER
    9...........................................................REFERENCES
    10............................................................FEEDBACK

    1. DESCRIPTION
    ======================================================================

    AttilaPHP is an other Content Management Systems like PHP-Nuke

    More informations at : http://www.attila-php.net (In French)

    2. DETAILS
    ======================================================================

    - Cross Site Scripting :

    Many exploitable bugs was found in AttilaPHP which cause script
    execution on client's computer by following a crafted url.

    This kind of attack known as "Cross-Site Scripting Vulnerability"
    is present in many section of the web site, an attacker can input
    specially crafted links and/or other malicious scripts.

    - Script Injection :

    A vulnerability have been found in AttilaPHP which allow attackers
    to inject script codes into the homepage and use them on clients
    browser as if they were provided by the site.

    - Path Disclosure :

    Many vulnerabilities have been found in AttilaPHP which allow
    attackers to determine the physical path of the application.

    These vulnerabilities would allow a remote user to determine the
    full path to the web root directory and other potentially
    sensitive information. This vulnerability can be triggered by a
    remote user submitting a specially crafted HTTP request.

    3. EXPLOIT
    ======================================================================

    - Cross Site Scripting :

    http://[target]/index.php3?Rubrique=[hostile_code]

    http://[target]/index.php3?article=[id_number]&Rubrique=[hostile_code]

    The hostile code could be :

    [script]alert("Cookie="+document.cookie)[/script]

    (open a window with the cookie of the visitor.)

    (replace [] by <>)

    - Script Injection :

    http://[target]/www/user_action.php3?op=enter_text&rubrique=[rubrique_id]

    The vulnerability is at the level of the interpretation of the "Titre",
    "Texte", "Texte associé au lien" field.

    Indeed, the insertion of a hostile code script in this field makes it
    possible to a malicious user to carry out this script on the navigator
    of the visitors.

    - Path Disclosure :

    http://[target]/www/print.php3?id='

    http://[target]/www/index.php3?nrub='

    http://[target]/www/index.php3?article='

    4. SOLUTIONS
    ======================================================================

    No solution for the moment. AttilaPhp's Team is working on an update.

    5. WORKAROUND
    ======================================================================

    - Cross Site Scripting :

    Use the function php eregi_replace to filter the input data.

    - Path Disclosure :

    You can fix the path disclosure problem by adding this code in
    all the affected files :

    -------CUT-------

    error_reporting(0);

    -------CUT-------

    6. DISCLOSURE TIMELINE
    ======================================================================

    24/06/2003 Vulnerability discovered
    25/06/2003 Vendor notified - First e-mail
    26/06/2003 Security Corporation clients notified
    08/07/2003 Vendor notified - Second e-mail
    01/08/2003 Vendor notified - Third e-mail
    01/08/2003 Vendor response
    01/08/2003 Started e-mail discussions
    18/08/2003 Last e-mail received
    18/08/2003 Public disclosure

    7. CREDITS
    ======================================================================

    Discovered by Gregory Le Bras <gregory.lebras@security-corporation.com>

    8. DISLAIMER
    ======================================================================

    The information within this paper may change without notice. Use of
    this information constitutes acceptance for use in an AS IS condition.
    There are NO warranties with regard to this information. In no event
    shall the author be liable for any damages whatsoever arising out of
    or in connection with the use or spread of this information. Any use
    of this information is at the user's own risk.

    9. REFERENCES
    ======================================================================

    - Original Version:
    http://www.security-corporation.com/advisories-020.html

    - Version Française:
    http://www.security-corporation.com/index.php?id=advisories&a=020-FR

    10. FEEDBACK
    ======================================================================

    Please send suggestions, updates, and comments to:

    Security Corporation
    http://www.security-corporation.com
    info@security-corporation.com

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: henry j. mason: "Re: [Full-Disclosure] Blaster Side Affect?"