Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
CloisterBlog Input Validation Flaw Permits Directory Traversal and Authentication Error Grants Administrative Access
|
|
SecurityTracker Alert ID: 1009588
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Mar 29 2004
|
Impact: Disclosure of system information, Disclosure of user information, User access via network
|
Exploit Included: Yes
|
Version(s): 1.2.2
|
Description: Several input validation vulnerabilities were reported in CloisterBlog. A remote user can view files on the target system. A remote
authenticated user can gain administrative access. A remote user can conduct cross-site scripting attacks.
Dotho of Badcode.org reported that the software does not validate user-supplied input. A remote user can supply a specially crafted
value (for the 'smonth' parameter, for example) containing '../' directory traversal characters to view arbitrary files on the target
system with the privileges of the target web service. A demonstration exploit URL is provided:
/cloisterblog/journal.pl?syear=2004&sday=11&smonth=../../../../../../..
/../etc/passwd%00
It is also reported that the administrative section does not properly authenticate the administrator -- only
the password is validated, not the user ID. As a result, a remote authenticated user can gain administrative access.
The report
also indicates that cross-site scripting attacks are possible. A remote user can submit specially crafted text that, when viewed
by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from
the site running the CloisterBlog software and will run in the security context of that site. As a result, the code will be able
to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted
by the target user via web form to the site, or take actions on the site acting as the target user.
The vendor has reportedly
been notified without response.
|
Impact: A remote user can view files on the target system that are located outside of the web document directory.
A remote authenticated
user can gain administrative access on the application.
A remote user can access the target user's cookies (including authentication
cookies), if any, associated with the site running the CloisterBlog software, access data recently submitted by the target user
via web form to the site, or take actions on the site acting as the target user.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: freshmeat.net/projects/cloisterblog/ (Links to External Site)
|
Cause: Authentication error, Input validation error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: Dotho <dotho@badcode.org>
|
Message History:
None.
|
Source Message Contents
|
Date: Sun, 28 Mar 2004 17:51:07 -0500 (EST)
From: Dotho <dotho@badcode.org>
Subject: Multiple Vulnerabilities in Cloisterblog web blog/journal
|
Executive Overview
------------------
Cloisterblog, a general usage web blog written in perl suffers
from multiple XSS and directory transversal issues as well as a design flaw in the admin section.
Program Description
--------------------
Cloisterblog
(http://www.circleofthunder.com/journal/cloisterblog-1.2.2.tar.gz)
"CloisterBlog is simple but feature packed Web-based journal system that does not
require MySQL or manual modification of files"
Issue(s)
-------
Cloisterblog doesn't do any parameter checking on inputs, this leads to
the multiple XSS and directory transversal issues. In addition, the admin
section of the blog never actually checks the user id of the user, only
the password. In addition, no sort of logging is performed on this
parameter, so it is readable suspectable to brute forcing.
Example(s)/code
---------
/cloisterblog/journal.pl?syear=2004&sday=11&smonth=../../../../../../../../etc/passwd%00
from journal_admin.pl
sub validateUser {
$password = $passfile[0];
chomp($password);
chomp($pass);
if ($pass eq $password) {
return 1;
} else {
return 0;
}
($user which is declared in journal_admin.pl is never used)
Remedy/Fixe(s)
--------------
None, delete the blog and either write your own or choose another
Vendor status
-------------
Non Responsive, despite waiting nearly twice as long as we normally do for
at least a "screw you" reply, the authors have not replied, nor released
an updated version. we waitied this long because it appears the author
runs the software him/her self.
--0-0-0
Badcode.org
|
|
Go to the Top of This SecurityTracker Archive Page
|
