Full Disclosure mailing list archives
The vulnerabilities festival !
From: "Omid" <omid () hackers ir>
Date: Thu, 18 Jan 2007 17:10:58 +0330
------------------------------------------------------------------------------- WWW.GJTR-KMJNILSGJTR-KMJNILSGJTR-KMJNILSGJTR-KMJNILSGJTR-KMJNILSGJTR-KMJNERS.IR WWW.H-B-XKJLWPYJHB-XKKJLWPJHB--XKKLWPJHB--XXKKLWPJHB-XXKKLLWJHB--XXKLLWJJERS.IR WWW.HEA-D-IJIEFUHA-D--IJIEUHA--D-IJIEUHA--D--IJIEHA--D--IJJIHA---D-IJJIIHERS.IR WWW.AZNAUJ-OXILMANAUJJ-OXIMANAAUJ-OXXIMANAUJ--OXIMAANAUJ--OXMAANNAJ--OOXMERS.IR WWW.CFGETPNDE-NNCGETPNDE-NNCGEETNDE-NNCGEETNDDENNCGGEETNDDENCGGEETNDDDENCERS.IR WWW.IJJGDQIIJK-MIJGDQIIJK-MIJGGDIIJK-MIJGGDIIIJ-MIJJGGDIIIJ-IJJGGDIIIIJ-IERS.IR WWW.JJFJOXZTRNMG-FJOXXZTRNG-FJJOXZTRRNG-FJOXZZTRNG--FJOXZZTRG--FFJXZZTTRGERS.IR WWW.YNWSMFZCYFKYYWSMFFZCYFYYWSSMFZCYYFYYWSMFZZCYYYYWSMFZZCCYYYWSSMFZCCYYYERS.IR WWW.WIUYR-EZNFDRWUYR--EZNFRWUYYR-EZNNFRWUYR-EEZNNFRWYR-EEZZNFRWYYR-EZZNFFERS.IR WWW.AZJMKHACKCUSAZJMKHACKCUSAZJMKHACKCUSAZJMKHACKCUSAZJMKHACKCUSAZJMKHACKERS.IR ------------------------------------------------------------------------------- Salam be hamegi :) Several vulnerabilities have been found in several programs : *) 5 sql injection bugs in PHP-Nuke *) Several sql injection and full path disclosure bugs in Joomla 1.5.0 Beta *) 1 sql injection bug in Mambo 4.6.1 and Joomla 1.0.11 *) 1 sql injection and 1 XSS bugs in Virtuemart 1.0.7 *) 5 sql injection bugs in Xoops 2.0.16 core + weblinks module *) 3 sql injection and 1 XSS bugs in DocMan 1.3 RC2 *) 2 sql injection bugs in ATutor 1.5.3.2 *) 3 sql injection bugs in Letterman 1.2.3 *) 1 file disclosure bug in WDaemon 9.5.4 *) 3 security bugs in PostNuke 0.764 I tried to ommit dangerous and exploitable details from this advisory, so some sections are not discribed in details ... The original advisory (in Persian) is located at : http://www.hackers.ir/advisories/festival.txt ------------------------------------------------------------------------------- I) PHP-Nuke : There are 5 sql injections in PHP-Nuke 7.9 (and maybe other versions including version 8) : Three of them exist in 'advertising', 'weblinks' and 'reviews' sections, which can be dangerous and are not discribed here . Two others are in admin section : The 'active' parameter has been passed to "module_status()" function without proper checking : File /admin/modules/modules.php, Line 281 : ** module_status($mid, $active); And in "module_status()" function : File /admin/modules/modules.php, Line 173 : ** $db->sql_query("update " . $prefix . "_modules set active='$active' where mid='$mid'"); Also the 'ad_class', 'imageurl', 'clickurl', 'ad_code' and 'position' parameters are not checked properly : File modules/Advertising/admin/index.php, Line 1131 : ** BannersAdd($name, $cid, $adname, $imptotal, $imageurl, $clickurl, $alttext, $position, $active, $ad_class, $ad_code, $ad_width, $ad_height); And in "BannersAdd()" function : File modules/Advertising/admin/index.php, Line 351 : ** $db->sql_query("insert into " . $prefix . "_banner values (NULL, '$cid', '$adname', '$imptotal', '1', '0', '$imageurl', '$clickurl', '$alttext', now(), '00-00-0000 00:00:00', '$position', '$active', '$ad_class', '$ad_code', '$ad_width', '$ad_height')"); The author told me he will fix the bugs for the next version (8.1) . ------------------------------------------------------------------------------- II) Joomla 1.5.0 Beta : As Joomla! 1.5.0 Beta default installation has mentioned : "Joomla! 1.5.0 Beta should NOT to be used for `live` or `production` sites." So, I can release more details about these bugs :) There are several sql injection bugs in Joomla 1.5.0 Beta : The 'searchword' parameter is not checked properly before be used in the sql query in several files : In both 'plugins/search/content.php' and 'plugins/search/weblinks.php' files, the '$where' variable is not checked . Also, in 'plugins/search/contacts.php', 'plugins/search/categories.php' and 'plugins/search/sections.php' files, the '$text' var is affected. For example : File plugins/search/sections.php, Line 75 : :: $query = "SELECT a.name AS title," :: . "\n a.description AS text," :: . "\n '' AS created," :: . "\n '2' AS browsernav," :: . "\n a.id AS secid, m.id AS menuid, m.type AS menutype" :: . "\n FROM #__sections AS a" :: . "\n LEFT JOIN #__menu AS m ON m.componentid = a.id" ** . "\n WHERE ( a.name LIKE '%$text%'" ** . "\n OR a.title LIKE '%$text%'" ** . "\n OR a.description LIKE '%$text%' )" :: . "\n AND a.published = 1" :: . "\n AND a.access <= " .$user->get( 'gid' ) :: . "\n AND ( m.type = 'content_section' OR m.type = 'content_blog_section' )" :: . "\n GROUP BY a.id" :: . "\n ORDER BY $order" :: ; The search word is limited to 20 characters, so this bug doesnt seem to be critical . PoC : http://hacked/index.php?searchword=%25'/**/SQLINJECTION&option=com_search&Itemid=0 Another sql injection exists in "check()" function . The 'email' parameter is not checked properly : File libraries/joomla/database/table/user.php, Line 104 : :: $query = "SELECT id" :: . "\n FROM #__users " ** . "\n WHERE email = '$this->email'" :: . "\n AND id != $this->id" :: ; This is reachable by normal users, and can be dangerous . The other sql injection, is the same bug described bellow for Mambo 4.6.1 and Joomla 1.0.11 . This has been solved in SVN version, but the SVN version has another sql injection : The 'catid' parameter is not checked properly in "_buildQuery()" function : File components/com_weblinks/models/category.php, Line 209 : :: $query = "SELECT *" . :: "\n FROM #__weblinks" . ** "\n WHERE catid = $this->_id". :: "\n AND published = 1" . :: "\n AND archived = 0". :: "\n ORDER BY $filter_order $filter_order_dir, ordering"; PoC : http://hacked/index.php?option=com_weblinks&catid=1%20SQLINJECTION Also, there are several full path disclosure bugs in Joomla 1.5.0 Beta . Many files call "jimport()" function at the top of the file . So direct access to these files will expose full path of the script . For example : http://test/plugins/user/example.php http://test/plugins/authentication/gmail.php http://test/plugins/authentication/example.php http://test/plugins/authentication/ldap.php http://test/modules/mod_mainmenu/menu.php .. ------------------------------------------------------------------------------- III) Mambo 4.6.1 and Joomla 1.0.11 (and 1.5 Beta) : The 'id' parameter can cause sql injection when cancelling content editting . Other versions maybe affected too . This problem has been solved in Joomla 1.0.12 . ------------------------------------------------------------------------------- IV) Virtuemart 1.0.7 : One sql injection bug exists in Virtuemart 1.0.7 . Also one XSS exists in the script . Two new versions have been released in a short time . ------------------------------------------------------------------------------- V) Xoops 2.0.16 + Weblinks module : There is a sql injection bug in Xoops 2.0.16 core (and maybe other versions) in admin section: The 'id' parameter in "get()" function is not checked against sql injections : File kernel/group.php, Line 94 : :: function &get($id) :: { :: $group = false; :: if (intval($id) > 0) { ** $sql = 'SELECT * FROM '.$this->db->prefix('groups').' WHERE groupid='.$id; This one doesnt seem to be critical . In "Weblinks" module : The 'lid' parameter in "deleteByLid()" function is not checked against sql injections : File class/table_broken.php, Line 58 : :: function deleteByLid($lid) :: { ** $sql = "DELETE FROM $this->table WHERE lid=$lid"; :: return $this->query_false($sql); :: } Also 3 other sql injections exist which can be exploitable and are not discribed here . The new version is not released yet . ------------------------------------------------------------------------------- VI) DocMan 1.3 RC2 : There are some vulnerabilities in DocMan 1.3 RC2 (and maybe other versions) : Four sql injection bugs exist in DocMan which two of them can be exploited by normal users and can be dangerous. Also there is a dangerous XSS in the script. Another bug is a full path disclosure . I contacted the project admin, but I received no replies . If anyone knows a security contact email of the project, plz mail me . ------------------------------------------------------------------------------- VII) ATutor 1.5.3.2 : Two sql injections exist in ATutor 1.5.3.2 . This was reported several days ago and the new version has been released several days ago ... ------------------------------------------------------------------------------- VIII) Letterman 1.2.3 : There are 3 sql injections in Letterman 1.2.3 (and maybe other versions) : The 'id' parameter in "lm_sendMail()" function is not checked properly before be used in the sql query : File components/com_letterman/letterman.class.php, Line 251 : ** $id = mosGetParam( $_POST, "id", '' ); File components/com_letterman/letterman.class.php, Line 452 : ** $database->setQuery( "UPDATE `#__letterman` SET send=NOW() WHERE id=$id" ); :: $database->query(); Other bugs are in "saveNewsletter()" and "cancelNewsletter()" functions . Again, the 'id' parameter is used without checking . This doesnt work in Joomla 1.0.12 . ------------------------------------------------------------------------------- IX ) WDaemon 9.5.4 : There is a security bug in WDaemon 9.5.4 and some (maybe all) previous versions . WDaemon, the web server of MDaemon exposes the hosted dll applications to remote users . I reported this to altn, but an altn staff told me this is not a security bug . Anyway, the PoC is : http://mdaemon:3000//WorldClient.dll Tested versions : WDaemon/7.2.0 , WDaemon/9.0.4 and WDaemon/9.5.4 ------------------------------------------------------------------------------- X ) PostNuke : 3 bugs exist in PostNuke 0.764 . First, one XSS bug in reviews section, the second is an interesting bug in rating section and the third, is a full path disclosure in faq section . The new version is not available , but patched codes are available from : http://noc.postnuke.com/plugins/scmsvn/viewcvs.php/trunk/Historic/PostNuke7x/html/modules/?root=postnuke - Omid _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- The vulnerabilities festival ! Omid (Jan 18)