SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Generic)  >  Sage Vendors:  Blacksun Research Facility
Sage Content Management System Bugs Disclose Installation Path and Let Remote Users Conduct Cross-Site Scripting Flaws
SecurityTracker Alert ID:  1006135
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 20 2003
Impact:  Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): 1.0b3
Description:  Two vulnerabilities were reported in the Sage content management system. A remote user can determine the installation path and can also conduct cross-site scripting attacks against Sage users.

It is reported that a remote user can request a nonexistent module name to cause the system to display the installation path. Some demonstration exploit methods are provided:

http://[target]/?mod=some_thing&op=browse

http://[target]/?mod=node&nid=some_thing&op=view

It is also reported that the $mod variable does not properly filter user-supplied input, allowing a remote user to inject HTML code. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running Sage and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit is provided:

http://[target]/?mod=<script>alert(document.cookie)</script>&op=browse
Impact:  A remote user can determine the software installation path. A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running Sage, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:  No solution was available at the time of this entry.
Vendor URL:  sage.dev.box.sk/ (Links to External Site)
Cause:  Exception handling error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Reported By:  "euronymous" <just-a-user@yandex.ru>
Message History:   None.

 Source Message Contents
Date:  Thu, 20 Feb 2003 01:21:47 +0300 (MSK)
From:  "euronymous" <just-a-user@yandex.ru>
Subject:  XSS and Path Disclosure in Sage

 

=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=
topic: XSS and Path Disclosure in Sage
product: Sage 1.0b3
vendor: http://sage.dev.box.sk/
risk: middle
date: 02/20/2k3
discovered by: euronymous /f0kp /r00tc0de
advisory urls: http://f0kp.iplus.ru/bz/015.en.txt
               http://f0kp.iplus.ru/bz/015.ru.txt 
=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=


description
-----------

1) path disclosure

u can view full system path with two ways:

http://hostname/?mod=some_thing&op=browse

where `some_thing' is a nonexistent module name

===================================================
Fatal error: Cannot instantiate non-existent class: 
module_some_thing 
in /home/aztek/libraries/module.inc.php on line 62
===================================================


other method is:

http://hostname/?mod=node&nid=some_thing&op=view

===================================================
Access Denied 
/home/aztek/modules/node.module.php:71
===================================================


2) cross-site scripting

becouse $mod is not checks correctly, u can to insert
html, javascript, etc in script output:

http://hostname/?mod=<script>alert(document.cookie)</script>&op=browse


shouts: r00tc0de.net, DWC, DHG, security.nnov.ru, all 
russian security guyz!! and kate for being a kewl girl ))
fsck_off: slavomira and other dirty ppl in *.kz

================
im not a lame,
not yet a hacker
================


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC