[UNIX] Multiple Vulnerabilities in NukeBookmarks (Full path disclosure, Cross Site Scripting, SQL Injection)
From: SecuriTeam (support_at_securiteam.com)
Date: 03/30/05
- Previous message: SecuriTeam: "[TOOL] CIRT.DK SMTP Relay Scanner"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 30 Mar 2005 11:59:44 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Multiple Vulnerabilities in NukeBookmarks (Full path disclosure, Cross
Site Scripting, SQL Injection)
------------------------------------------------------------------------
SUMMARY
" <http://nukebookmarks.sourceforge.net/> Nuke Bookmarks is a module for
PHP-Nuke that allows users to store their own personal bookmarks on the
server, much like Yahoo Bookmarks."
Full path disclosure, Cross Site Scripting and SQL Injection
vulnerabilities discovered in NukeBookmarks, compromising th system.
DETAILS
Vulnerable Systems:
* NukeBookmarks Version .6
Immune Systems:
* NukeBookmarks Version .7
Full Path Disclosure Vulnerability:
It's possible to retrieve the full installation path of NukeBookmarks. In
marks.php, some database queries can be manipulated by the user. If the
resulting SQL query is illegal, the functions that runs that query will
return an SQL error, revealing full installation path.
Examples:
http://example.com/modules.php?name=Bookmarks&file=marks
http://example.com/modules.php?name=Bookmarks&file=marks&category=1\'
Cross Site Scripting Vulnerability:
Almost all of the input variables supplied by the user aren't checked and
filtered properly. It's possible to inject malicious javascript code into
the page and perform a cross site scripting attack.
Examples:
http://www.nukesite.com/modules.php?name=Bookmarks&file=del_cat&catname=[code]
http://www.nukesite.com/modules.php?name=Bookmarks&file=del_mark&markname=[code]
http://www.nukesite.com/modules.php?name=Bookmarks&file=edit_cat&catname=[code]
http://www.nukesite.com/modules.php?name=Bookmarks&file=edit_cat&catcomment=[code]
http://www.nukesite.com/modules.php?name=Bookmarks&file=marks&catname=[code]
http://www.nukesite.com/modules.php?name=Bookmarks&file=uploadbookmarks&category=[code]
SQL Injection:
It's possible to get any content and manipulate the database by exploiting
a SQL Injection vulnerability in marks.php
Example:
http://www.nukesite.com/modules.php?name=Bookmarks&file=marks&catname=1
&category=-1/**/union/**/select%200,aid,0,pwd,0,0%20from%20nuke_authors
This example will get the list of PHPNuke authors and the relative hashes
of the passwords.
ADDITIONAL INFORMATION
The information has been provided by <mailto:astharot@zone-h.org> Gerardo
Astharot Di Giacomo.
The original article can be found at:
<http://zone-h.org/advisories/read/id=7356>
http://zone-h.org/advisories/read/id=7356
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[TOOL] CIRT.DK SMTP Relay Scanner"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [UNIX] PHPNuke Multiple Vulnerabilities in Search Module
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... cross-site scripting and
SQL injections located throughout the ... The vulnerability exists in the ... The
first SQL injection vulnerability is a non-critical one in the ... (Securiteam) - [UNIX] Multiple Vulnerabilities in XMB Forum (CSS, SQL Injection, Administrative Password Disclosure
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... A cross site scripting bug
exists in u2u.php as well. ... An SQL injection and a cross site-scripting bug in member.php
(only ... Yet more SQL injections and XSS vulnerabilities exists, ... (Securiteam) - [UNIX] Cyphor Multiple Security Vulnerabilities (SQL Injection and CSS)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... normal users, moderators and administrators.
... SQL Injection in 'Forgot Password Interface': ... The following URL will trigger
an cross site scripting attack against ... (Securiteam) - [UNIX] Multiple Vulnerabilities in Kayako eSupport
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... The Kayako eSupport product
has been found to contain multiple ... vulnerabilities that range from cross site scripting
issues to SQL ... A cross site scripting vulnerability exists in Kayako eSupport. ...
(Securiteam) - [UNIX] CPAINT AJAX Library Cross Site Scripting
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... CPAINT AJAX Library Cross Site
Scripting ... This vulnerability can lead to disclosure of client side data and possibly
... (Securiteam)
