[UNIX] Path Disclosure and Cross Site Scripting Vulnerability in MyABraCaDaWeb

• Previous message: support@securiteam.com: "[NEWS] Multiple Vulnerabilities in BEA WebLogic Server (Un-authenticated File Uploading)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Date: 19 Mar 2003 13:07:01 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

In the US?

Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!

Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -

  Path Disclosure and Cross Site Scripting Vulnerability in MyABraCaDaWeb
------------------------------------------------------------------------

SUMMARY

 <http://www.webmaster-mag.net/> MyABraCaDaWeb is a Content Management
System.
Like PHP-Nuke, it is a script based system written in PHP, which once
installed and configured on your server will generate a management of
contents system, entirely automated and personalized. Contents include
various types of files, options and applications.

A security vulnerability found in this product allows full path disclosure
and Cross Site Scripting attacks.

DETAILS

Vulnerable versions:
 * MyAbraCaDaWeb Versions 1.0.2 and prior.

Full Path Disclosure:
A vulnerability in MyABraCaDaWeb allow attackers to determine the physical
path of the application.
This vulnerability would allow a remote user to determine the full path to
the web root directory and other potentially sensitive information.

The attack is performed by submitting a specially crafted HTTP request,
such as a request for an invalid Admin ID.

Exploit method:
http://[target]/index.php?IDAdmin=test

http://[target]/index.php?base=test

http://[target]/index.php?tampon=test

http://[target]/index.php?SqlQuery=test

etc...

Cross Site Scripting:
A Cross-Site Scripting vulnerability have been found in MyABraCaDaWeb
which allows attackers to inject script codes into the search script and
use them on clients browser as if they were provided by the site.

This Cross-Site Scripting vulnerability is found in the page for searching
keyword.
An attacker can input specially crafted links and/or other malicious
scripts.

Exploit method:
http://[target]/index.php?module=pertinance&ma_ou=[modules]&ma_kw=[hostile_code]

Where the module might be: "annuaire2liens"

And the hostile code might be something like:
[script]alert("Cookie="+document.cookie)[/script]
(replace ['s with <'s ).

Vulnerable code:
The code is from the file: "header.php"

####################################################################
//---Creation du rapport
$vtp_p = new VTemplate;
$tpl_p = $vtp_p->Open("modules/pertinance/tpl/rapport.tpl");
$vtp_p->addSession($tpl_p,"rapport");
$vtp_p->setVar($tpl_p,"rapport.ma_kw",$ma_kw);
$vtp_p->setVar($tpl_p,"rapport.NbMotCle",$NbMotCle);
$vtp_p->setVar($tpl_p,"rapport.T3",$T3);
$vtp_p->setVar($tpl_p,"rapport.NbLiens",$NbLiens);
if(quel_groupe() == 4){
$sql = htmlentities($sql);
$sql = addslashes($sql);
$vtp_p->addSession($tpl_p,"sql");
$vtp_p->setVar($tpl_p,"sql.sql",$sql);
$vtp_p->closeSession($tpl_p,"sql");
}
$vtp_p->closeSession($tpl_p,"rapport");
$Raport = $vtp_p->Display($tpl_p,0);
####################################################################

The vendor has been notified and is working on a patch.

Solution:
There is no solution to the full path disclosure yet.
To prevent the more dangerous CSS attack download
<http://www.security-corporation.com/download/patch/MyABraCaDaWebv1.0.2XSSpatch.zip> Latest Patch
The vendor is also currently working on a patch.

Workaround:
Add this to "header.php"
####################################################################
//---Creation du rapport

# BugFix by Gregory LEBRAS www.security-corporation.com

$ma_kw =
eregi_replace("content-disposition:","!content-disposition:!",$ma_kw);
$ma_kw = eregi_replace("include","!include!",$ma_kw);
$ma_kw = eregi_replace("\<\?","<.?",$ma_kw);
$ma_kw = eregi_replace("\?\p\h\p",".?php",$ma_kw);
$ma_kw = eregi_replace("\?\>","?.>",$ma_kw);
$ma_kw = eregi_replace("<script>","<.script>",$ma_kw);
$ma_kw = eregi_replace("</script>","<./script>",$ma_kw);
$ma_kw = eregi_replace("javascript","!javascript!",$ma_kw);
$ma_kw = eregi_replace("embed","!embed!",$ma_kw);
$ma_kw = eregi_replace("iframe","!iframe!",$ma_kw);
$ma_kw = eregi_replace("refresh","!refresh!",$ma_kw);
$ma_kw = eregi_replace("onload","!onload!",$ma_kw);
$ma_kw = eregi_replace("onstart","!onstart!",$ma_kw);
$ma_kw = eregi_replace("onerror","!onerror!",$ma_kw);
$ma_kw = eregi_replace("onabort","!onabort!",$ma_kw);
$ma_kw = eregi_replace("onblur","!onblur!",$ma_kw);
$ma_kw = eregi_replace("onchange","!onchange!",$ma_kw);
$ma_kw = eregi_replace("onclick","!onclick!",$ma_kw);
$ma_kw = eregi_replace("ondblclick","!ondblclick!",$ma_kw);
$ma_kw = eregi_replace("onfocus","!onfocus!",$ma_kw);
$ma_kw = eregi_replace("onkeydown","!onkeydown!",$ma_kw);
$ma_kw = eregi_replace("onkeypress","!onkeypress!",$ma_kw);
$ma_kw = eregi_replace("onkeyup","!onkeyup!",$ma_kw);
$ma_kw = eregi_replace("onmousedown","!onmousedown!",$ma_kw);
$ma_kw = eregi_replace("onmousemove","!onmousemove!",$ma_kw);
$ma_kw = eregi_replace("onmouseover","!onmouseover!",$ma_kw);
$ma_kw = eregi_replace("onmouseout","!onmouseout!",$ma_kw);
$ma_kw = eregi_replace("onmouseup","!onmouseup!",$ma_kw);
$ma_kw = eregi_replace("onreset","!onreset!",$ma_kw);
$ma_kw = eregi_replace("onselect","!onselect!",$ma_kw);
$ma_kw = eregi_replace("onsubmit","!onsubmit!",$ma_kw);
$ma_kw = eregi_replace("onunload","!onunload!",$ma_kw);
$ma_kw = eregi_replace("document.cookie","!document.cookie!",$ma_kw);
$ma_kw = eregi_replace("vbscript","!vbscript!",$ma_kw);
$ma_kw = eregi_replace("location","!location!",$ma_kw);
$ma_kw = eregi_replace("object","!object!",$ma_kw);
$ma_kw = eregi_replace("vbs","!vbs!",$ma_kw);
$ma_kw = eregi_replace("href","!href!",$ma_kw);
$vtp_p = new VTemplate;
$tpl_p = $vtp_p->Open("modules/pertinance/tpl/rapport.tpl");
$vtp_p->addSession($tpl_p,"rapport");
$vtp_p->setVar($tpl_p,"rapport.ma_kw",$ma_kw);
$vtp_p->setVar($tpl_p,"rapport.NbMotCle",$NbMotCle);
$vtp_p->setVar($tpl_p,"rapport.T3",$T3);
$vtp_p->setVar($tpl_p,"rapport.NbLiens",$NbLiens);
if(quel_groupe() == 4){
$sql = htmlentities($sql);
$sql = addslashes($sql);
$vtp_p->addSession($tpl_p,"sql");
$vtp_p->setVar($tpl_p,"sql.sql",$sql);
$vtp_p->closeSession($tpl_p,"sql");
}
$vtp_p->closeSession($tpl_p,"rapport");
$Raport = $vtp_p->Display($tpl_p,0);
####################################################################

ADDITIONAL INFORMATION

For additional information see
<http://www.security-corporation.com/index.php?id=advisories&a=010>
Security Corporation's Article.
Information was provided by
<mailto:gregory.lebras@security-corporation.com> Gregory Lebras, Security
Corp.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: support@securiteam.com: "[NEWS] Multiple Vulnerabilities in BEA WebLogic Server (Un-authenticated File Uploading)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]