[UNIX] PHPX Web Portal Multiple Vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 02/12/04

  • Next message: SecuriTeam: "[NEWS] Web Crossing Denial Of Service"
    To: list@securiteam.com
    Date: 12 Feb 2004 12:19:40 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      PHPX Web Portal Multiple Vulnerabilities
    ------------------------------------------------------------------------

    SUMMARY

    " <http://www.phpx.org> PHPX is a constantly evolving and changing Content
    Management System (CMS). PHPX is highly customizable and high powered all
    in one system. PHPX provides content management combined with the power of
    a portal by including in the core package modules such as FAQ, polls, and
    forums."

    Multiple vulnerabilities were found in PHPX that allow an attack to inject
    arbitrary script code, perform cross-site scripting and even hijack cookie
    accounts.

    DETAILS

    Vulnerable Systems:
     * PHPX version 3.2.3 (possibly prior)

    Immune Systems:
     * PHPX version 3.2.4

    Cross-site Scripting
    Vulnerabilities exist in the main.inc.php, help.inc.php files that would
    allow an attacker to insert arbitrary code which would execute on the
    client's browser. An example of such conditions can be demonstrated in the
    following manner:

    main.inc.php?keywords='>< scr!pt>alert(document.cookie)< /scr!pt>
    help.inc.php?body='>< scr!pt>alert(document.cookie)< /scr!pt>

    NOTE: In the examples above the 'script' tag has been replaced with
    'scr!pt'.

    HTML/Code Injection Flaw
    Injection of malicious code is possible through the 'Subject' field in
    both the Forum and Instant Messaging. An attack can inject specially
    crafted code which would be triggered when a user views certain pages. A
    scripting code crafted by the attack will then be executed at the user's
    client side and could manipulate user profiles, post in forums and steal
    cookie sessions.

    Cookie Account Hijacking Vulnerability
    A cookie written by PHPX contains a variable called PXL which PHPX uses in
    order to authenticate users. It is possible to edit the PXL variable in
    such a manner that would allow authentication as a different user and gain
    access to their accounts. In fact, it is also possible to gain
    administrative access which naturally means a full compromise of the
    system in question.

    Vendor Status:
    The vendor has been notified and a newer version was released.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:mantra@lkm-zx.net> Manuel
    Lopez.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NEWS] Web Crossing Denial Of Service"

    Relevant Pages

    • [UNIX] PHPX Multiple Vulnerabilities
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... PHPX is a constantly evolving and changing Content ... It is possible for an attacker to learn the full physical path of the PHPX ... Arbitrary Command Execution ...
      (Securiteam)
    • [UNIX] Wordpress Cookie Integrity Protection Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Wordpress Cookie Integrity Protection Vulnerability ... USERNAME: The username for the authenticated user ...
      (Securiteam)
    • [NT] Citrix NetScaler Web Management Cookie Weakness
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Citrix NetScaler Web Management Cookie Weakness ... the attacker might be able to impersonate the user for the duration ... plaintext information stored by it by using a chosen plaintext attack. ...
      (Securiteam)
    • [UNIX] MaxWebPortal Cross Site Scripting and SQL Injection Vulnerabilities
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... scripting, SQL injection and Avatar ScriptCode injection. ...
      (Securiteam)
    • [UNIX] phpBB HTTP Response Splitting and Cross Site Scripting Vulnerabilities
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... phpBB is prone to cross-site scripting and HTTP response splitting ... These vulnerabilities may allow an attacker to perform various attacks ... sensitive user information and perform cross-site scripting attacks. ...
      (Securiteam)