[UNIX] Multiples Vulnerabilities In JAWS
From: SecuriTeam (support_at_securiteam.com)
To: firstname.lastname@example.org Date: 11 Jul 2004 12:27:25 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Multiples Vulnerabilities In JAWS
<http://www.jaws.com.mx/> Jaws is "a Framework and Content Management
System for building dynamic web sites".
The index.php page contains multiple vulnerabilities that allows a
malicious attacker to bypass authentication, read arbitrary files and
perform Cross-Site-Scripting attacks.
* JAWS 0.3
Full path disclosure:
Many ways exist in the code that allows determining the full path to the
web root directory: For example:
The jaws_error() function, it returns the line and the full path to the
name of the file:
Function jaws_error($text, $file, $line)
print ("<b style=\"color: #f00;\" JAWS Error:</b><br/>".$text."<br/><i>
Trying to open some file in the include directory
Arbitrary file browsing:
We can acceded to the file's content through the variable gadget. For
example, it is possible to open /etc/passwd in the following way:
The use of the "path" variable is irrelevant, in the code can be seen a
$path= str_replace ("..","",$path) --> at this way we filter the content
of path, but in the index.php file the gadget variable is not filter.
The "%00" is necessary because the script adds at the end of the name of
gadget variable the extension ".php"
Cross Site Scripting:
Cross site scripting is possible in the variable action, because it script
returns the content of the variable:
http://127.0.0.1/jaws/index.php?gadget=[a valid gadget]&action=<b>bold
jaws_error ("Invalid operation: You can't display this action
where "$go_gadget->action" content the erroneous action.
Bypassing password Authentication:
There exist a way that allow us to get in the control panel with
administrator rights without a password.
The admin.php file has:
control panel code...
The logged_on() function is in the application.php file. The function's
return (md5($_SESSION["logged"]) ==$_COOKIE["logged"]);
The $_SESSION["logged"] variable before entering the Control Panel has a
Null ("") value. A possible way to exploit it should be:
setcookie("logged","d41d8cd98f00b204e9800998ecf8427e",time()+86400*365,'path to jaws');
Where "d41d8cd98f00b204e9800998ecf8427e" is the MD5 hash for the NULL
value. This way we can create a cookie (that look like from the remote
system) and then try the URL:
And the authentication is bypassed.
The information has been provided by <mailto:email@example.com> Fernando
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: firstname.lastname@example.org
In order to subscribe to the mailing list, simply forward this email to: email@example.com
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.