[UNIX] Multiple Vulnerabilities in CoolPHP

From: SecuriTeam (support_at_securiteam.com)
Date: 10/18/04

  • Next message: SecuriTeam: "[EXPL] BitchX Local Root Exploit" 
    To: list@securiteam.com
Date: 18 Oct 2004 16:16:41 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Multiple Vulnerabilities in CoolPHP
    ------------------------------------------------------------------------

    SUMMARY

     <http://cphp.sourceforge.net/> CoolPHP is a PHP based portal system. It
    requires a Web server with PHP support and MySQL. It's compatible with
    *NIX and NT.
    CoolPHP suffers from multiple vulnerabilities that allow an attacker to
    include arbitrary PHP files and perform cross site scripting attacks.

    DETAILS

    Vulnerable Systems:
     * CoolPHP Version 1.0-stable

    Cross-Site Scripting vulnerability:
    It is possible to construct a link containing arbitrary script code to a
    website running CoolPHP. When a user browses the link, the script code
    will be executed on the user's
    browser. This vulnerability occurs due to insufficient inspection of some
    user-supplied input. As a result of this deficiency an attacker may
    exploit the vulnerability by creating a specially crafted URL that
    includes malicious HTML code as URI parameters for index.php
    Examples:
    http://example.com/index.php?op=buscar&query=
    language=javascript>window.alert(document.cookie);</script>
    http://example.com/index.php?op=buscar&query=%3Cscript%20language=
    javascript%3Ewindow.alert%28document.cookie%29;%3C/script%3E
    http://example.com/index.php?op=userinfo&nick=
    language=javascript>window.alert(document.cookie);</script>

    Path Disclosure Vulnerability:
    Passing invalid value for the 'op' URI parameter to index.php will cause
    an error message to be displayed which contains physical path information.
    This information could be useful in further attacks against the system.
    Example:     http://example.com/cphp/index.php?op=invparam

    Local file include Vulnerability with Directory Traversal:
    CoolPHP does not filter dot dot slash (../) sequences from web requests.
    This problem may allow an attacker to access arbitrary files outside the
    server root
    directory and will permit a local attack to include malicious PHP scripts
    from another local paths.

    Examples:
    http://example.com/index.php?op=../../../../anotheruser/anyfile
    Or as URL encoded format:
    http://example.com/index.php?op=
    %2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fanotheruser/anyfile

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:root@cyberspy.org>
    R00tCr4ck.
    The original article can be found at:
    <http://www.cyberspy.org/gam/cphp.multiple>
    http://www.cyberspy.org/gam/cphp.multiple

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[EXPL] BitchX Local Root Exploit"

    Relevant Pages