SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Join our Affiliate Program
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Generic)  >  TUTOS Vendors:  tutos.org
TUTOS Input Validation Vulnerabilities Permit Remote Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1007038
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 23 2003
Impact:  Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 1.1
Description:  Several input validation vulnerabilities were reported in TUTOS. A remote user can conduct cross-site scripting attacks.

Kereval issued a security advisory warning that the software does not filter HTML code from user-supplied input in the 'msg' attribute of several scripts, including the 'file_select.php' script. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the TUTOS software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

http://[target]/tutos/file/file_select.php?msg=<hostile code>

It is also reported that a remote user can upload messages containing HTML code via the following type of URL:

http://[target]/tutos/file/file_new.php?link_id=1065

Then, once the file has been uploaded, the code will be executed by the target user's browser when the target user loads the following URL:

http://[target]/tutos/repository/[proj ect number]/[filenumber]/FILE

The following notification timeline is provided:

2003-06-20 The vendor has reportedly been notified.
2003-06-23 Response from the vendor with solution.
Impact:  A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the TUTOS software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:  The vendor has reportedly released a fixed version, available via CVS as BRANCH-1-1:

https://sourceforge.net/cvs/?group_id=8047
Vendor URL:  www.tutos.org/ (Links to External Site)
Cause:  Input validation error
Underlying OS:  Linux (Any), UNIX (Any)
Reported By:  Franaois_SORIN <francois.sorin@kereval.com>
Message History:   None.

 Source Message Contents
Date:  Mon, 23 Jun 2003 09:41:36 +0200
From:  Franaois_SORIN <francois.sorin@kereval.com>
Subject:  [KSA-001] Multiple vulnerabilities in Tutos

 

=================================================
Kereval Security Advisory [KSA-001]

Multiple vulnerabilities in Tutos
=================================================

PROGRAM: Tutos
HOMEPAGE: http://www.tutos.org
VULNERABLE VERSIONS: 1.1
RISK: Medium/High
IMPACT: Cross Site Scripting
RELEASE DATE: 2003-06-20

=================================================
TABLE OF CONTENTS
=================================================

1..........................................................DESCRIPTION
2..............................................................DETAILS
3.............................................................EXPLOITS
4............................................................SOLUTIONS
5...........................................................WORKAROUND
6........................................................VENDOR STATUS
7..............................................................CREDITS
8...........................................................DISCLAIMER
9...........................................................REFERENCES
10............................................................FEEDBACK

1. DESCRIPTION
=================================================

"TUTOS is a tool to manage the the organizational needs of small
groups, teams, departments ...
To do this it provides some web-based tools"

(direct quote from http://www.tutos.org)


2. DETAILS
=================================================

¤ Cross Site Scripting :

Many exploitable bugs was found in Tutos which cause script
execution on client's computer by following a crafted url.

This kind of attack known as "Cross-Site Scripting Vulnerability"
is present in many section of the web site, an attacker can input
specially crafted links and/or other malicious scripts.

An attacker can upload a file and execute it on the client's computer.
The browser IE can execute a HTML page without extension.


3. EXPLOITS
=================================================

¤ Cross Site Scripting :

http://[target]/tutos/file/file_select.php?msg=<hostile code>

All url with attribute msg...

The hostile code could be :

[script]alert("Cookie="+document.cookie)[/script]

(open a window with the cookie of the visitor.)

(replace [] by <>)

¤ Upload a file with a malicious script

We can upload via http://[target]/tutos/file/file_new.php?link_id=1065

The path is http://[target]/tutos/repository/[project number]/[file
number]/FILE


4. SOLUTIONS
=================================================

The Problem is solved for all new releases where the given <hostile
code> is strictly interpreted as NON-HTML code by TUTOS. And most
messages are stored in the sessiondata and no longer in URLs (there was
also a problem with too long URLs)

The version that implements this is available via CVS as BRANCH-1-1
How to get CVS is described on <https://sourceforge.net/cvs/?group_id=8047>


5. WORKAROUND
=================================================

¤ Cross Site Scripting :

Use the function php eregi_replace to filter the input data.


6. VENDOR STATUS
=================================================

2003-06-20 The vendor has reportedly been notified.
2003-06-23 Response from the vendor with solution.


7. CREDITS
=================================================

Discovered by François SORIN <francois.sorin@security-corporation.com>


8. DISLAIMER
=================================================

The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any damages whatsoever arising out of
or in connection with the use or spread of this information. Any use
of this information is at the user's own risk.


9. REFERENCES
=================================================

http://www.security-corporation.com


10. FEEDBACK
=================================================

Please send suggestions, updates, and comments to:

Kereval
Immeuble Le Gallium
80, avenue des Buttes de Coesmes
35700 RENNES - FRANCE
info@kereval.com


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC