Re: SAXON version 5.4 Multiple Path Disclosure Vulnerabilities

[reepex <reepex () gmail com>]

dot dot dot

first an sql injection post that requires magic quotes off, then a
post about xss, and now a post about path disclosure?

Why waste cve entries and people's time with crap like this? Couldnt
you at least find post-auth ftp dos bugs like morning wood?

On 10/29/07, SecurityResearch <securityresearch () netvigilance com> wrote:
> netVigilance Security Advisory #53
> SAXON version 5.4 Multiple Path Disclosure Vulnerabilities
> Description:
> SAXON is a simple accessible online news publishing system for personal and small corporate site owners. Publish 
> news, using configurable templates, on any .php page on your site. Publish news on a 'per author' basis. Edit and/or 
> delete existing news items. Create multiple RSS news feeds automatically (RSS 0.9, RSS 2.0 and Atom). Post date news 
> items for later public release. Multiple authors allowed. Ability to configure users as Standard or Administrators. 
> Ability to add/delete users (Administrators only). Option to change any user password (Administrators only). Template 
> creation/deletion/amendment interface. Online setup and configuration.
> External References:
> Mitre CVE: CVE-2007-4861
> NVD NIST: CVE-2007-4861
> OSVDB: Unassigned
> Summary:
> SAXON is a simple accessible online news publishing system for personal and small corporate site owners.
> Security problems in the product allow attackers to gather the true path of the server-side script.
> Advisory URL:
> http://www.netvigilance.com/advisory0053
> Release Date:
> 10/29/2007
>
> CVSS Version 2 Metrics:
> Base Metrics:
>
>
> Exploitability Metrics:
>
>
>
> Access Vector:
> Network
>
>
> Access Complexity:
> Low
>
>
> Authentication:
> None
>
> Impact Metrics:
>
>
>
> Confidentiality Impact:
> Partial
>
>
> Integrity Impact:
> None
>
>
> Availability Impact:
> None
> Temporal Metrics:
>
>
> Exploitability:
> Functional
>
> Remediation Level:
> Official Fix
>
> Report Confidence:
> Confirmed
>
> CVSS Version 2 Vectors:
> Base Vector:
> "AV:N/AC:L/Au:N/C:P/I:N/A:N"
> Temporal Vector:
> "E:F/RL:OF/RC:C"
>
> CVSS Version 2 Scores:
> Base Score:
> 5
>
> Impact Subscore:
> 2.9
>
> Exploitability Subscore:
> 10
> Temporal Score:
> 4.1
> SecureScout Testcase ID:
> TC 17990
> Vulnerable Systems:
> SAXON version 5.4
> Vulnerability Type:
> Program flaws - The product scripts have flaws which lead to Warnings or even Fatal Errors.
> Vendor:
> Quirm
> Vendor Status:
> The Vendor has confirmed the problem and has release new version 5.41 that addresses the problem. New version of 
> product was tested and we can confirm that all vulnerabilities were solved.  For more information see vendor 
> announcement. To download the latest version go to vendors product download area.
> Workaround:
> > From netVigilance:
> Disable warning messages: modify in the php.ini file following line: display_errors = Off.
> > From vendor:
> Modify .htaccess file to include 'php_flag register_globals off' (this will work only for the Apache servers). Amend 
> admin/config.php to include 'error_reporting(0);'
> Update critical files in the /admin, /rss and root directory of the installation (all MySQL error reporting removed)
> Example:
> Path Disclosure Vulnerability 1:
> REQUEST:
> http://[TARGET]/[PRODUCT DIRECTORY]/news.php
> REPLY:
> <b>Fatal error</b>:  Call to undefined function:  quotesmart() in <b>[DISCLOSED PATH][PRODUCT DIRECTORY]\news.php</b> 
> on line <b>15</b><br />
> Path Disclosure Vulnerability 2:
> REQUEST:
> http://[TARGET]/[SAXON-DIRECTORY]/admin/edit-item.php?newsid[]=1
> REPLY:
> <b>Warning</b>:  mysql_real_escape_string() expects parameter 1 to be string, array given in <b>[DISCLOSED 
> PATH][PRODUCT DIRECTORY]\admin\functions.php</b> on line <b>48</b><br />
> Credits:
> Jesper Jurcenoks
> Co-founder netVigilance, Inc
> www.netvigilance.com
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/