[VulnWatch] [KSA-001] Multiple vulnerabilities in Tutos

From: François SORIN (francois.sorin_at_wanadoo.fr)
Date: 06/23/03

  • Next message: Mark Litchfield: "[VulnWatch] Remote Buffer Overrun WebAdmin.exe"
    To: <vulnwatch@vulnwatch.org>
    Date: Mon, 23 Jun 2003 21:30:57 +0200
    
    

    =================================================
    Kereval Security Advisory [KSA-001]

    Multiple vulnerabilities in Tutos
    =================================================

    PROGRAM: Tutos
    HOMEPAGE: http://www.tutos.org
    VULNERABLE VERSIONS: 1.1
    RISK: Medium/High
    IMPACT: Cross Site Scripting
    RELEASE DATE: 2003-06-20

    =================================================
    TABLE OF CONTENTS
    =================================================

    1..........................................................DESCRIPTION
    2..............................................................DETAILS
    3.............................................................EXPLOITS
    4............................................................SOLUTIONS
    5...........................................................WORKAROUND
    6........................................................VENDOR STATUS
    7..............................................................CREDITS
    8...........................................................DISCLAIMER
    9...........................................................REFERENCES
    10............................................................FEEDBACK

    1. DESCRIPTION
    =================================================

    "TUTOS is a tool to manage the the organizational needs of small
    groups, teams, departments ...
    To do this it provides some web-based tools"

    (direct quote from http://www.tutos.org)

    2. DETAILS
    =================================================

    ¤ Cross Site Scripting :

    Many exploitable bugs was found in Tutos which cause script
    execution on client's computer by following a crafted url.

    This kind of attack known as "Cross-Site Scripting Vulnerability"
    is present in many section of the web site, an attacker can input
    specially crafted links and/or other malicious scripts.

    An attacker can upload a file and execute it on the client's computer.
    The browser IE can execute a HTML page without extension.

    3. EXPLOITS
    =================================================

    ¤ Cross Site Scripting :

    http://[target]/tutos/file/file_select.php?msg=<hostile code>

    All url with attribute msg...

    The hostile code could be :

    [script]alert("Cookie="+document.cookie)[/script]

    (open a window with the cookie of the visitor.)

    (replace [] by <>)

    ¤ Upload a file with a malicious script

    We can upload via http://[target]/tutos/file/file_new.php?link_id=1065

    The path is http://[target]/tutos/repository/[project number]/[file
    number]/FILE

    4. SOLUTIONS
    =================================================

    The Problem is solved for all new releases where the given <hostile
    code> is strictly interpreted as NON-HTML code by TUTOS. And most
    messages are stored in the sessiondata and no longer in URLs (there was
    also a problem with too long URLs)

    The version that implements this is available via CVS as BRANCH-1-1
    How to get CVS is described on <https://sourceforge.net/cvs/?group_id=8047>

    5. WORKAROUND
    =================================================

    ¤ Cross Site Scripting :

    Use the function php eregi_replace to filter the input data.

    6. VENDOR STATUS
    =================================================

    2003-06-20 The vendor has reportedly been notified.
    2003-06-23 Response from the vendor with solution.

    7. CREDITS
    =================================================

    Discovered by François SORIN <francois.sorin@security-corporation.com>

    8. DISLAIMER
    =================================================

    The information within this paper may change without notice. Use of
    this information constitutes acceptance for use in an AS IS condition.
    There are NO warranties with regard to this information. In no event
    shall the author be liable for any damages whatsoever arising out of
    or in connection with the use or spread of this information. Any use
    of this information is at the user's own risk.

    9. REFERENCES
    =================================================

    http://www.security-corporation.com

    10. FEEDBACK
    =================================================

    Please send suggestions, updates, and comments to:

    Kereval
    Immeuble Le Gallium
    80, avenue des Buttes de Coesmes
    35700 RENNES - FRANCE
    info@kereval.com


  • Next message: Mark Litchfield: "[VulnWatch] Remote Buffer Overrun WebAdmin.exe"

    Relevant Pages