[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] SAXON version 5.4 Multiple Path Disclosure Vulnerabilities

To: SecurityResearch <securityresearch@xxxxxxxxxxxxxxxx>, full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] SAXON version 5.4 Multiple Path Disclosure Vulnerabilities
From: reepex <reepex@xxxxxxxxx>
Date: Mon, 29 Oct 2007 14:52:04 -0500

dot dot dot

first an sql injection post that requires magic quotes off, then a
post about xss, and now a post about path disclosure?

Why waste cve entries and people's time with crap like this? Couldnt
you at least find post-auth ftp dos bugs like morning wood?

On 10/29/07, SecurityResearch <securityresearch@xxxxxxxxxxxxxxxx> wrote:
> netVigilance Security Advisory #53
> SAXON version 5.4 Multiple Path Disclosure Vulnerabilities
> Description:
> SAXON is a simple accessible online news publishing system for personal and 
> small corporate site owners. Publish news, using configurable templates, on 
> any .php page on your site. Publish news on a 'per author' basis. Edit and/or 
> delete existing news items. Create multiple RSS news feeds automatically (RSS 
> 0.9, RSS 2.0 and Atom). Post date news items for later public release. 
> Multiple authors allowed. Ability to configure users as Standard or 
> Administrators. Ability to add/delete users (Administrators only). Option to 
> change any user password (Administrators only). Template 
> creation/deletion/amendment interface. Online setup and configuration.
> External References:
> Mitre CVE: CVE-2007-4861
> NVD NIST: CVE-2007-4861
> OSVDB: Unassigned
> Summary:
> SAXON is a simple accessible online news publishing system for personal and 
> small corporate site owners.
> Security problems in the product allow attackers to gather the true path of 
> the server-side script.
> Advisory URL:
> http://www.netvigilance.com/advisory0053
> Release Date:
> 10/29/2007
>
> CVSS Version 2 Metrics:
> Base Metrics:
>
>
> Exploitability Metrics:
>
>
>
> Access Vector:
> Network
>
>
> Access Complexity:
> Low
>
>
> Authentication:
> None
>
> Impact Metrics:
>
>
>
> Confidentiality Impact:
> Partial
>
>
> Integrity Impact:
> None
>
>
> Availability Impact:
> None
> Temporal Metrics:
>
>
> Exploitability:
> Functional
>
> Remediation Level:
> Official Fix
>
> Report Confidence:
> Confirmed
>
> CVSS Version 2 Vectors:
> Base Vector:
> "AV:N/AC:L/Au:N/C:P/I:N/A:N"
> Temporal Vector:
> "E:F/RL:OF/RC:C"
>
> CVSS Version 2 Scores:
> Base Score:
> 5
>
> Impact Subscore:
> 2.9
>
> Exploitability Subscore:
> 10
> Temporal Score:
> 4.1
> SecureScout Testcase ID:
> TC 17990
> Vulnerable Systems:
> SAXON version 5.4
> Vulnerability Type:
> Program flaws - The product scripts have flaws which lead to Warnings or even 
> Fatal Errors.
> Vendor:
> Quirm
> Vendor Status:
> The Vendor has confirmed the problem and has release new version 5.41 that 
> addresses the problem. New version of product was tested and we can confirm 
> that all vulnerabilities were solved.  For more information see vendor 
> announcement. To download the latest version go to vendors product download 
> area.
> Workaround:
> >From netVigilance:
> Disable warning messages: modify in the php.ini file following line: 
> display_errors = Off.
> >From vendor:
> Modify .htaccess file to include 'php_flag register_globals off' (this will 
> work only for the Apache servers). Amend admin/config.php to include 
> 'error_reporting(0);'
> Update critical files in the /admin, /rss and root directory of the 
> installation (all MySQL error reporting removed)
> Example:
> Path Disclosure Vulnerability 1:
> REQUEST:
> http://[TARGET]/[PRODUCT DIRECTORY]/news.php
> REPLY:
> <b>Fatal error</b>:  Call to undefined function:  quotesmart() in 
> <b>[DISCLOSED PATH][PRODUCT DIRECTORY]\news.php</b> on line <b>15</b><br />
> Path Disclosure Vulnerability 2:
> REQUEST:
> http://[TARGET]/[SAXON-DIRECTORY]/admin/edit-item.php?newsid[]=1
> REPLY:
> <b>Warning</b>:  mysql_real_escape_string() expects parameter 1 to be string, 
> array given in <b>[DISCLOSED PATH][PRODUCT DIRECTORY]\admin\functions.php</b> 
> on line <b>48</b><br />
> Credits:
> Jesper Jurcenoks
> Co-founder netVigilance, Inc
> www.netvigilance.com
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] SAXON version 5.4 Multiple Path Disclosure Vulnerabilities
  - From: SecurityResearch

Prev by Date: Re: [Full-disclosure] Google Sacure
Next by Date: [Full-disclosure] Holes in the firewall of Mac OS X Leopard
Previous by thread: [Full-disclosure] SAXON version 5.4 Multiple Path Disclosure Vulnerabilities
Next by thread: [Full-disclosure] SAXON version 5.4 SQL Injection Vulnerability
Index(es):
- Date
- Thread