[VulnWatch] [KSA-005] Multiple vulnerabilities in Tutos

From: François SORIN (francois.sorin_at_kereval.com)
Date: 04/13/04

  • Next message: Chris Wysopal: "[VulnWatch] 21 issues in Windows/Outlook Express"
    Date: Tue, 13 Apr 2004 17:55:50 +0200
    To: vulnwatch@vulnwatch.org
    
    

    =================================================
    Kereval Security Advisory [KSA-005]

    Multiple vulnerabilities in Tutos
    =================================================

    PROGRAM: Tutos
    HOMEPAGE: http://www.tutos.org
    VULNERABLE VERSIONS: 1.1.20031017
    RISK: Medium/High
    IMPACT: Cross Site Scripting / Path Disclosure / SQL Injection
    RELEASE DATE: 2004-01-13

    =================================================
    TABLE OF CONTENTS
    =================================================

    1..........................................................DESCRIPTION
    2..............................................................DETAILS
    3.............................................................EXPLOITS
    4............................................................SOLUTIONS
    5...........................................................WORKAROUND
    6........................................................VENDOR STATUS
    7..............................................................CREDITS
    8...........................................................DISCLAIMER
    9...........................................................REFERENCES
    10............................................................FEEDBACK

    1. DESCRIPTION
    =================================================

    "TUTOS is a tool to manage the the organizational needs of small
    groups, teams, departments ...
    To do this it provides some web-based tools"

    (direct quote from http://www.tutos.org)

    2. DETAILS
    =================================================

    - Cross Site Scripting :

    Many exploitable bugs was found in Tutos which cause script
    execution on client's computer by following a crafted url.

    This kind of attack known as "Cross-Site Scripting Vulnerability"
    is present in many section of the web site, an attacker can input
    specially crafted links and/or other malicious scripts.

    - Path Disclosure

    These vulnerabilities would allow a remote user to determine the
    full path to the web root directory and other potentially
    sensitive information. This vulnerability can be triggered by a
    remote user submitting a specially crafted HTTP request.

    3. EXPLOITS
    =================================================

    - Cross Site Scripting :

    In many Tutos forms for create new items like :
    - http://[tutos]/php/company_new.php
    - http://[tutos]/php/app_new.php
    - http://[tutos]/php/task_new.php
    - http://[tutos]/php/[xxxx]_new.php

    The hostile code could be :

    [script]alert("Cookie="+document.cookie)[/script]

    (open a window with the cookie of the visitor)

    (replace [] by <>)

    - Path Disclosure / SQL Injection

    The affected page is note_overview.php :
    http://[tutos]/php/note/note_overview.php?id=1;

    The navigator display :

    Detail :
    SELECT DISTINCT n.* FROM notes n WHERE n.id = 1; ORDER by
    creation DESC

    TUTOS Version: 1.1.20030715
    PHP Version: "xxx"
    PHP Config: "xxx"
    APACHE Version: "xxx"
    Browser: "xxx"
    DB User : tutos
    DB Alias : TUTOS database
    URL: /tutos/php/note/note_overview.php
    Request: /tutos/php/note/note_overview.php?id=1;
    Called by: "xxx"
    ... (and the directory structure)

    There is a SQL Injection risk but the exploit code need to be find.

    4. SOLUTIONS
    =================================================

    Upgrade your Tutos version to 1.1.20040412.

    5. WORKAROUND
    =================================================

    - Cross Site Scripting :

    Use the function php eregi_replace to filter the input data.

    6. VENDOR STATUS
    =================================================

    2004-01-13 Vulnerability discovered
    2004-01-13 The vendor has reportedly been notified
    2004-01-16 First response - Working on the security fixes
    2004-04-12 Bugfix update (version 1.1.20040412)
    2004-04-13 Public disclosure

    7. CREDITS
    =================================================

    Discovered by François SORIN <francois.sorin@kereval.com>

    8. DISLAIMER
    =================================================

    The information within this paper may change without notice. Use of
    this information constitutes acceptance for use in an AS IS condition.
    There are NO warranties with regard to this information. In no event
    shall the author be liable for any damages whatsoever arising out of
    or in connection with the use or spread of this information. Any use
    of this information is at the user's own risk.

    9. REFERENCES
    =================================================

    - Original Version:
    http://www.kereval.com/a,20040413100957.html

    10. FEEDBACK
    =================================================

    Please send suggestions, updates, and comments to:

    Kereval
    Immeuble Le Gallium
    80, avenue des Buttes de Coesmes
    35700 RENNES - FRANCE
    info@kereval.com


  • Next message: Chris Wysopal: "[VulnWatch] 21 issues in Windows/Outlook Express"

    Relevant Pages