Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Open Searchable Image Catalogue: XSS and SQL Injection Vulnerabilities

from [enji] Network Security [Permanent Link]
Subject: Open Searchable Image Catalogue: XSS and SQL Injection Vulnerabilities
Date: 30 May 2006 14:53:11 -0000 
===========================================================
Open Searchable Image Catalogue: XSS and SQL Injection Vulnerabilities
===========================================================
Technical University of Vienna Security Advisory
TUVSA-0605-001, May 30, 2006
===========================================================


Affected applications
----------------------

Open Searchable Image Catalogue (http://cosp.wordpress.com/tag/osic, 
http://sourceforge.net/projects/osic-win)

Versions 0.7 and prior.


Description
------------

There are a number of cross site scripting (XSS) vulnerabilities that are 
caused by the second echo statement in function do_mysql_query (core.php, line 
544). If a database query fails for some reason, the query is reflected back to 
the user. Here are a few points where this situation can be exploited (if 
register_globals is active and if the current user is logged in as admin):

adminfunctions.php, line 531
http://localhost/osic07/admin.php?action=manageusers&username=neweviluser&password=xyz&confpass=xyz&realname='&type=<script>alert('hi')</script>

adminfunctions.php, line 561
http://localhost/osic07/admin.php?action=manageusers&id=777&username=neweviluser&password=xyz&confpass=xyz&realname='&type=<script>alert('hi')</script>

editcatalogue.php, line 523
http://localhost/osic07/admin.php?action=editcatalogue&op=additems&catalogue_id='<script>alert('hi')</script>&uploaded=true&submit=true&AddRemaining=true
[there has to be at least one file with a valid extension in the uploads 
directory]

editcatalogue.php, line 581
http://localhost/osic07/admin.php?action=editcatalogue&op=additems&catalogue_id=777&uploaded=true&submit=true&catalogue_id='<script>alert('hi')</script>

The above vulnerabilities are also SQL Injection vulnerabilities.

Some analogous cases in search.php:

search.php, line 120:
The $query variable can contain malicious user input due to the assignments on 
lines 90-112.

search.php, line 152:
$cf_query is tainted by $cfid, which is tainted by $tempCustomFieldID, which is 
tainted by $HTTP_POST_VARS (line 138).

search.php, lines 243-250:
There are calls to getValueFromID with $item_list as parameter, which can be 
controlled by an attacker.


Solution
---------

The authors have responded to our message quickly and have released version 
0.7.0.1, which fixes the above issues.

Timeline:

March 30, 2006:
- Vulnerabilities reported to Chris Goerner.
- Response and release of fixed version.
- Advisory submission.


References
-----------

http://www.seclab.tuwien.ac.at/advisories/TUVSA-0605-001.txt


Nenad Jovanovic
Secure Systems Lab 
Technical University of Vienna 
www.seclab.tuwien.ac.at
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Open Searchable Image Catalogue: XSS and SQL Injection Vulnerabilities, enji <=
Previous by Date:  WebCalendar-1.0.3 reading of any files, socsam
Next by Date:  Re: [Info Disclosure] Diesel PHP Job Site Latest Version, support
Previous by Thread:  WebCalendar-1.0.3 reading of any files, socsam
Next by Thread:  pppBlog <= 0.3.8 administrative credentials/system disclosure, rgod
Indexes:  [Date] [Thread] [Top] [All Lists]