H-Security Labs - Advisories category

Tikiwiki 1.9.8.3 tiki-special_chars.php XSS Vulnerability

Mon, 24 Dec 2007 13:50:13 GMT

H - Security Labs
Tikiwiki v1.9.8.3 Security Advisory
ID : HSEC#20072212

General Information
--------------------------
Name                      : Tikiwiki 1.9.8.3
Vendor HomePage    :http://tikiwiki.org
Platforms                : PHP && MySQL
Vulnerability Type    : Input Validation Error

Timeline
-------------------------
17 December 2007 -- Vendor Contacted
19 December 2007 -- Vendor Replied
22 December 2007 -- New Release
22 December 2007 -- Advisory Released

What is TikiWiki
------------------------
Tikiwiki (Tiki) is your Groupware/CMS (Content Management System) solution. Tiki has the features you need:
Wikis (like Mediawiki), Forums (like phpBB) ,Blogs (like WordPress), Articles (like Digg), Image Gallery (like Flickr), Map Server (like Google Maps), Link Directory (like DMOZ), Translation and i18n (like Babel Fish), Free (LGPL) And much more...

Vulnerability Overview
------------------------
The script is vulnerable to XSS attacks.

Details About Vulnerability
------------------------
XSS Vulnerability (/tikiwiki/tiki-special_chars.php)
At the lines between 166-168 :
-----------------
<input type="button" class="button"
onclick="javascript:window.opener.document.getElementById('<?php

print($_REQUEST["area_name"]);?>').value=window.opener.document.getElementById('<?php print($_REQUEST["area_name"]);?>').value+getElementById('spec').value;"
name="ins" value="ins" />
<input type="button" class="button"
-----------------

You see that, there are two printing of "area_name" variable without properly sanitization.This causes reflected XSS vulnerability and If you set area_name variable to :

>"><script>alert(1)</script>, you can see it..
The attacker can succesfully launch XSS attacks with loading payload on to the URL area_name variable.

Solution
-----------------------
Download the new release : Tikiwiki 1.9.9
from http://sourceforge.net/project/showfiles.php?group_id=64258&package_id=112134&release_id=563456

Credits
-----------------------
The vulnerabilities found on 17 December 2007
by Mesut Timur <mesut@h-labs.org>
H - Security Labs , http://www.h-labs.org
Gebze Institue of Technology,Computer Engineering,http://www.gyte.edu.tr

References
-----------------------
Vendor Confirmation : http://tikiwiki.org/ReleaseProcess199

Falt4 CMS Security Report/Advisory

Wed, 05 Dec 2007 20:24:41 GMT

H - Security Labs
Falt4Extreme (RC4 10.9.2007) Security Report
ID : HSEC#20071012

General Information
--------------------------
Name                           : Falt4Extreme CMS (RC4 10.9.2007)
Vendor HomePage       :http://sourceforge.net/projects/falt4/
Platforms                     : PHP && MySQL
Vulnerability Type       : Input Validation Errors

Disclosure Timeline
-------------------------
04 December 2007 -- Vendor Contacted
04 December 2007 -- Vendor Replied
05 December 2007 -- Fix Released
10 December 2007 -- Pulic Disclosure

What is Falt4Extreme
------------------------
Falt4 CMS is a business approved Content Management System (CMS) under the LGPL. The CMS is feature-rich and has a clean administration area. The ultimate CMS with functions for the professional, usable by everyone.CMS modules are available.

Overview of Vulnerabilities
------------------------
The script is vulnerable to both of XSS and Blind SQL Injection attacks.

Details of Vulnerabilities
------------------------
1-Blind SQL Injection Vulnerability:
http://www.EXAMPLE.com/falt4/
index.php?handler=cat&nav_ID=1'%20and%20'1'='1
nav_ID parameter is not sanitized properly and can be used for Blind SQL Injection attacks.
2-Cross Site Scripting Vulnerabilities
i.http://www.EXAMPLE.com/falt4/
index.php?handler=>"><script>alert(3)</script>&nav_ID=1
Input passed to the 'handler' parameter is not sanitized properly before using and can be used malicious people to perform XSS attacks.

ii .http://www.EXAMPLE.com/falt4/
modules/feed/feed.php?type=rss&lang=1&topic=>"><script>alert(2)</script>
Input passed to the 'topic' parameter is not sanitized properly before using and can be used malicious people to perform XSS attacks.

Solution
-----------------------
Re-download falt4 from sourceforge:
http://downloads.sourceforge.net/falt4/falt4extreme.zip?use_mirror=osdn
Replace these files:
/yourfalt4/index.php
/yourfalt4/modules/feed.php
/yourfalt4/admin/index.php
-----------------------
The vulnerabilities found on 04 December 2007
by Mesut Timur <mesut@h-labs.org>
H - Security Labs , http://www.h-labs.org
Gebze Institue of Technology, Computer Engineering, http://www.gyte.edu.tr

References
-----------------------
Vendor Confirmation : http://sourceforge.net/forum/forum.php?forum_id=762931
Project Site : http://sourceforge.net/projects/falt4/
Me : http://www.h-labs.org

EggBlog v3.1.0 XSS Issues

Sun, 11 Nov 2007 20:13:16 GMT

H - Security Labs
Eggblog v3.1.0 Security Advisory
ID : HSEC#20071111

General Information
--------------------------
Name                         : EggBlog v.3.1.0
Vendor HomePage :http://sourceforge.net/projects/eggblog/
Platforms                     : PHP && MySQL
Vulnerability Type       : Input Validation Error
CVE - ID                       : CVE-2007-5980

Timeline
-------------------------
08 October 2007 -- Vendor Contacted
30 October 2007 -- Vendor Replied
11 November 2007 -- New Release
11 November 2007 -- Advisory Released

What is Eggblog
------------------------
eggblog is a free PHP & MySQL blogging package. Features include an internal search engine,photo albums, forums, plug-ins, guest comments to blog articles, automatic monthly archiving of blog articles and RSS XML feeds for both the blog and forums.
I discovered the security holes when I was testing it for my personel web blog.

Vulnerability Overview
------------------------
The script is vulnerable to XSS attacks.

Details About Vulnerability
------------------------
XSS Vulnerability(home/rss.php)

At the rss.php line 6-7; there are unfiltered PHP_SELFs that can be used for XSS attacks.
---------
<a
href=\"../rss/blog.php\">".$_SERVER['SERVER_NAME'].str_replace ("/home/rss.php","",$_SERVER['PHP_SELF'])."/rss/blog.php</a></li>
<a
href=\"../rss/topics.php\">".$_SERVER['SERVER_NAME'].str_replace ("/home/rss.php","",$_SERVER['PHP_SELF'])."/rss/topics.php</a></li>
---------

The attacker can succesfully launch XSS attacks with loading payload on to the URL after the home\rss.php. For example :
http://www.example.com/home/rss.php/<script>alert(1)</script>

Solutions
-----------------------
Download the new release : EggBlog v3.1.1

Credits
-----------------------
The vulnerabilities found on 08 October 2007
by Mesut Timur <mesut@h-labs.org>
H - Security Labs , http://www.h-labs.org
Gebze Institue of Technology, Computer Engineering, http://www.gyte.edu.tr

References
-----------------------
http://sourceforge.net/forum/forum.php?forum_id=753622
http://www.eggblog.net
http://sourceforge.net/projects/eggblog/
http://www.h-labs.org