[UNIX] Jetbox Multiple Vulnerabilities
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 6 Aug 2006 13:09:47 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Jetbox Multiple Vulnerabilities
------------------------------------------------------------------------
SUMMARY
<http://jetbox.streamedge.com/index.php> Jetbox is a "content management
system is seriously tested on usability & has a professional intuitive
interface." Secunia Research has discovered some vulnerabilities in Jetbox
CMS, which can be exploited by malicious people to conduct session
fixation attacks, disclose certain system information, conduct cross-site
scripting, script insertion, and SQL injection attacks, and compromise a
vulnerable system.
DETAILS
Vulnerable Systems:
* Jetbox CMS version 2.1 SR1
1) An error in the handling of sessions during login to the administration
section can be exploited to hijack another user's session by tricking the
user into logging in after following a specially crafted link.
2) Input passed via the URL is not properly sanitised before being used in
a dynamic variable evaluation in index.php. This can be exploited to
overwrite certain configuration variables.
Successful exploitation e.g. leads to disclosure of certain system
information via phpinfo or execution of arbitrary HTML and script code in
a user's browser session in context of an affected site.
3) Input passed to the "login" parameter in admin/cms/index.php is not
properly sanitised before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's browser
session in context of an affected site.
4) Input passed to formmail.php via the "Supply news" page is not properly
sanitised before being returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in
context of an affected site.
5) Input passed via the URL is not properly sanitised before being
returned in the "Site statistics" page in the administration section. This
can be exploited to insert arbitrary HTML and script code, which is
executed in an administrative user's browser session in context of an
affected site when statistics are viewed.
6) Input passed to the "query_string" form field parameter when performing
a search is not properly sanitised before being used. This can be
exploited to insert arbitrary HTML and script code, which is executed in
an administrative user's browser session in context of an affected site
when search statistics are viewed.
7) Input passed to the "frontsession" cookie parameter, the "view"
parameter in index.php, and to the "login" parameter in
admin/cms/index.php is not properly sanitised before being used in SQL
queries. This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.
Successful exploitation may lead to execution of arbitrary PHP code by
including files from external resources, but requires that
"magic_quotes_gpc" is disabled.
Time Table:
14/07/2006 - Initial vendor notification.
21/07/2006 - Second vendor notification.
02/08/2006 - Public disclosure.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3583>
CVE-2006-3583,
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3584>
CVE-2006-3584,
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3585>
CVE-2006-3585 and
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3586>
CVE-2006-3586
ADDITIONAL INFORMATION
The information has been provided by Sven Krewitt.
The original article can be found at:
<http://secunia.com/secunia_research/2006-57/>
http://secunia.com/secunia_research/2006-57/
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NT] CA eTrust Antivirus WebScan Vulnerabilities
- Next by Date: [UNIX] PHP Live Helper File Inclusion
- Previous by thread: [NT] CA eTrust Antivirus WebScan Vulnerabilities
- Next by thread: [UNIX] PHP Live Helper File Inclusion
- Index(es):
Relevant Pages
|
