logo Home

Untitled Document
Security Corporation Security Advisories


Untitled Document .: Path Disclosure & Cross Site Scripting Vulnerability in MyABraCaDaWeb :.

________________________________________________________________________

Security Corporation Security Advisory [SCSA-010]
________________________________________________________________________

PROGRAM: MyABraCaDaWeb
HOMEPAGE: http://www.webmaster-mag.net/
VULNERABLE VERSIONS: v1.0.2 and prior
________________________________________________________________________

DESCRIPTION
________________________________________________________________________

MyABraCaDaWeb is an other Content Management Systems like PHP-Nuke

More informations at :
http://www.webmaster-mag.net/?module=pages@@myabracadaweb_pr (In French)


DETAILS & EXPLOITS
________________________________________________________________________


¤ Path Disclosure :

Some vulnerabilities have been found in MyABraCaDaWeb which allow attackers to determine
the physical path of the application.

This vulnerability would allow a remote user to determine the full path to the web root directory
and other potentially sensitive information. This vulnerability can be triggered by a remote user
submitting a specially crafted HTTP request, such as a request for an invalid Admin ID.

Exploits :

http://[target]/index.php?IDAdmin=test

http://[target]/index.php?base=test

http://[target]/index.php?tampon=test

http://[target]/index.php?SqlQuery=test

etc...

---------------------------------------

¤ Cross Site Scripting :

A Cross-Site Scripting vulnerability have been found in MyABraCaDaWeb which allow
attackers to inject script codes into the search script and use them on clients browser
as if they were provided by the site.

This Cross-Site Scripting vulnerability are found in the page for searching keyword.

An attacker can input specially crafted links and/or other malicious scripts.

Exploit :

http://[target]/index.php?module=pertinance&ma_ou=[modules]&ma_kw=[hostile_code]

The module could be : "annuaire2liens"

The hostile code could be :
[script]alert("Cookie="+document.cookie)[/script]

(open a window with the cookie of the visitor.)

(replace [] by <>)

Vulnerable code "header.php" :

####################################################################
//---Creation du rapport
$vtp_p = new VTemplate;
$tpl_p = $vtp_p->Open("modules/pertinance/tpl/rapport.tpl");
$vtp_p->addSession($tpl_p,"rapport");
$vtp_p->setVar($tpl_p,"rapport.ma_kw",$ma_kw);
$vtp_p->setVar($tpl_p,"rapport.NbMotCle",$NbMotCle);
$vtp_p->setVar($tpl_p,"rapport.T3",$T3);
$vtp_p->setVar($tpl_p,"rapport.NbLiens",$NbLiens);
if(quel_groupe() == 4){
$sql = htmlentities($sql);
$sql = addslashes($sql);
$vtp_p->addSession($tpl_p,"sql");
$vtp_p->setVar($tpl_p,"sql.sql",$sql);
$vtp_p->closeSession($tpl_p,"sql");
}
$vtp_p->closeSession($tpl_p,"rapport");
$Raport = $vtp_p->Display($tpl_p,0);
####################################################################


SOLUTIONS
________________________________________________________________________

¤ Path Disclosure :

No solution for the moment.

¤ Cross Site Scripting :

You can found a patch at the following link :

http://www.security-corporation.com/assets/security/download/patch/MyABraCaDaWebv1.0.2XSSpatch.zip

For example use this code in "header.php":

####################################################################
//---Creation du rapport

# BugFix by Gregory LEBRAS http://www.security-corporation.com/

$ma_kw = eregi_replace("content-disposition:","!content-disposition:!",$ma_kw);
$ma_kw = eregi_replace("include","!include!",$ma_kw);
$ma_kw = eregi_replace("\<\?","<.?",$ma_kw);
$ma_kw = eregi_replace("\?\p\h\p",".?php",$ma_kw);
$ma_kw = eregi_replace("\?\>","?.>",$ma_kw);
$ma_kw = eregi_replace("<script>","<.script>",$ma_kw);
$ma_kw = eregi_replace("</script>","<./script>",$ma_kw);
$ma_kw = eregi_replace("javascript","!javascript!",$ma_kw);
$ma_kw = eregi_replace("embed","!embed!",$ma_kw);
$ma_kw = eregi_replace("iframe","!iframe!",$ma_kw);
$ma_kw = eregi_replace("refresh","!refresh!",$ma_kw);
$ma_kw = eregi_replace("onload","!onload!",$ma_kw);
$ma_kw = eregi_replace("onstart","!onstart!",$ma_kw);
$ma_kw = eregi_replace("onerror","!onerror!",$ma_kw);
$ma_kw = eregi_replace("onabort","!onabort!",$ma_kw);
$ma_kw = eregi_replace("onblur","!onblur!",$ma_kw);
$ma_kw = eregi_replace("onchange","!onchange!",$ma_kw);
$ma_kw = eregi_replace("onclick","!onclick!",$ma_kw);
$ma_kw = eregi_replace("ondblclick","!ondblclick!",$ma_kw);
$ma_kw = eregi_replace("onfocus","!onfocus!",$ma_kw);
$ma_kw = eregi_replace("onkeydown","!onkeydown!",$ma_kw);
$ma_kw = eregi_replace("onkeypress","!onkeypress!",$ma_kw);
$ma_kw = eregi_replace("onkeyup","!onkeyup!",$ma_kw);
$ma_kw = eregi_replace("onmousedown","!onmousedown!",$ma_kw);
$ma_kw = eregi_replace("onmousemove","!onmousemove!",$ma_kw);
$ma_kw = eregi_replace("onmouseover","!onmouseover!",$ma_kw);
$ma_kw = eregi_replace("onmouseout","!onmouseout!",$ma_kw);
$ma_kw = eregi_replace("onmouseup","!onmouseup!",$ma_kw);
$ma_kw = eregi_replace("onreset","!onreset!",$ma_kw);
$ma_kw = eregi_replace("onselect","!onselect!",$ma_kw);
$ma_kw = eregi_replace("onsubmit","!onsubmit!",$ma_kw);
$ma_kw = eregi_replace("onunload","!onunload!",$ma_kw);
$ma_kw = eregi_replace("document.cookie","!document.cookie!",$ma_kw);
$ma_kw = eregi_replace("vbscript","!vbscript!",$ma_kw);
$ma_kw = eregi_replace("location","!location!",$ma_kw);
$ma_kw = eregi_replace("object","!object!",$ma_kw);
$ma_kw = eregi_replace("vbs","!vbs!",$ma_kw);
$ma_kw = eregi_replace("href","!href!",$ma_kw);
$vtp_p = new VTemplate;
$tpl_p = $vtp_p->Open("modules/pertinance/tpl/rapport.tpl");
$vtp_p->addSession($tpl_p,"rapport");
$vtp_p->setVar($tpl_p,"rapport.ma_kw",$ma_kw);
$vtp_p->setVar($tpl_p,"rapport.NbMotCle",$NbMotCle);
$vtp_p->setVar($tpl_p,"rapport.T3",$T3);
$vtp_p->setVar($tpl_p,"rapport.NbLiens",$NbLiens);
if(quel_groupe() == 4){
$sql = htmlentities($sql);
$sql = addslashes($sql);
$vtp_p->addSession($tpl_p,"sql");
$vtp_p->setVar($tpl_p,"sql.sql",$sql);
$vtp_p->closeSession($tpl_p,"sql");
}
$vtp_p->closeSession($tpl_p,"rapport");
$Raport = $vtp_p->Display($tpl_p,0);
####################################################################


VENDOR STATUS
________________________________________________________________________

The vendor has reportedly been notified. It currently develops a patch.


LINKS
________________________________________________________________________

http://www.security-corp.org/index.php?ink=4-15-1

-------------------------------------------------------------------------
Grégory Le Bras aka GaLiaRePt | http://www.security-corporation.com/
-------------------------------------------------------------------------



arrowSearch Advisories

arrowNewsletter

Free weekly Newsletter.

Please enter your email address here:
arrowReport Vulnerability

If you've found a vulnerability please
click here to report it.
arrowPartners

newsnow

About Us | Contact Us | Advertise | email | Backend flag
Copyright © 2016-2017 Security Corporation - All Rights Reserved - Legal - Privacy Policy