phpWebSite Input Validation Bugs in 'cal_template' and Other Parameters Permit SQL Injection and Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1011120
|
|
SecurityTracker URL: http://securitytracker.com/id?1011120
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Sep 1 2004
|
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Advisory: GulfTech Security Research Team
|
Version(s): 0.9.3-4 and prior versions
|
Description: Several vulnerabilities were reported in phpWebSite. A remote user can inject SQL commands. A remote user can conduct cross-site scripting attacks.
GulfTech Security Research Team reported that a remote user can submit a specially crafted event to the calendar module via the 'cal_template'
field. Then, when the administrator approves the event, SQL commands may be executed.
It is also reported that the comments
module does not properly filter HTML code from user-supplied input in the 'CM_pid' parameter. A remote user can create a specially
crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser.
The code will originate from the site running the phpWebSite software and will run in the security context of that site. As a result,
the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site,
access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
A demonstration exploit URL is provided:
/index.php?module=comments&CM_op=replyToComment&CM_pid=1[XSS]
It is also reported
that the subject and message fields of private messages sent via the notes module are affected.
It is also reported that phpWebSite
violates RFC 2616 by accepting commands for key functions via HTTP GET requests. As a result, a remote user can exploit cross-site
scripting vulnerabilities to cause a target administrator to execute a key function by, for example, embedding a GET request in
an IFRAME or an image tag or other tag.
The original advisory is available at:
http://www.gulftech.org/?node=research&article_id=00048-08312004
|
Impact: A remote user may be able to execute SQL commands on the target system.
A remote user can access the target user's cookies (including
authentication cookies), if any, associated with the site running the phpWebSite software, access data recently submitted by the
target user via web form to the site, or take actions on the site acting as the target user.
|
Solution: The vendor has issued a patch, available at:
http://www.phpwebsite.appstate.edu/downloads/security/
A fix for the RFC 2616 issue is planned for the next major release, scheduled for the end of 2004.
|
Vendor URL: phpwebsite.appstate.edu/ (Links to External Site)
|
Cause: Access control error, Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
|
|
[Original Message Not Available for Viewing]
|
|
