[UNIX] Multiple Vulnerabilities in CoolPHP

• Previous message: SecuriTeam: "[NT] Multiple Cross Site Scripting Vulnerabilities in FuseTalk"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 18 Oct 2004 16:16:41 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Multiple Vulnerabilities in CoolPHP
------------------------------------------------------------------------

SUMMARY

 <http://cphp.sourceforge.net/> CoolPHP is a PHP based portal system. It
requires a Web server with PHP support and MySQL. It's compatible with
*NIX and NT.
CoolPHP suffers from multiple vulnerabilities that allow an attacker to
include arbitrary PHP files and perform cross site scripting attacks.

DETAILS

Vulnerable Systems:
 * CoolPHP Version 1.0-stable

Cross-Site Scripting vulnerability:
It is possible to construct a link containing arbitrary script code to a
website running CoolPHP. When a user browses the link, the script code
will be executed on the user's
browser. This vulnerability occurs due to insufficient inspection of some
user-supplied input. As a result of this deficiency an attacker may
exploit the vulnerability by creating a specially crafted URL that
includes malicious HTML code as URI parameters for index.php
Examples:
http://example.com/index.php?op=buscar&query=
language=javascript>window.alert(document.cookie);</script>
http://example.com/index.php?op=buscar&query=%3Cscript%20language=
javascript%3Ewindow.alert%28document.cookie%29;%3C/script%3E
http://example.com/index.php?op=userinfo&nick=
language=javascript>window.alert(document.cookie);</script>

Path Disclosure Vulnerability:
Passing invalid value for the 'op' URI parameter to index.php will cause
an error message to be displayed which contains physical path information.
This information could be useful in further attacks against the system.
Example: http://example.com/cphp/index.php?op=invparam

Local file include Vulnerability with Directory Traversal:
CoolPHP does not filter dot dot slash (../) sequences from web requests.
This problem may allow an attacker to access arbitrary files outside the
server root
directory and will permit a local attack to include malicious PHP scripts
from another local paths.

Examples:
http://example.com/index.php?op=../../../../anotheruser/anyfile
Or as URL encoded format:
http://example.com/index.php?op=
%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fanotheruser/anyfile

ADDITIONAL INFORMATION

The information has been provided by <mailto:root@cyberspy.org>
R00tCr4ck.
The original article can be found at:
<http://www.cyberspy.org/gam/cphp.multiple>
http://www.cyberspy.org/gam/cphp.multiple

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] Multiple Cross Site Scripting Vulnerabilities in FuseTalk"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]