OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[Full-disclosure] The vulnerabilities festival !

From: Omid (omidhackers.ir)
Date: Thu Jan 18 2007 - 07:40:58 CST


-------------------------------------------------------------------------------
WWW.GJTR-KMJNILSGJTR-KMJNILSGJTR-KMJNILSGJTR-KMJNILSGJTR-KMJNILSGJTR-KMJNERS.IR
WWW.H-B-XKJLWPYJHB-XKKJLWPJHB--XKKLWPJHB--XXKKLWPJHB-XXKKLLWJHB--XXKLLWJJERS.IR
WWW.HEA-D-IJIEFUHA-D--IJIEUHA--D-IJIEUHA--D--IJIEHA--D--IJJIHA---D-IJJIIHERS.IR
WWW.AZNAUJ-OXILMANAUJJ-OXIMANAAUJ-OXXIMANAUJ--OXIMAANAUJ--OXMAANNAJ--OOXMERS.IR
WWW.CFGETPNDE-NNCGETPNDE-NNCGEETNDE-NNCGEETNDDENNCGGEETNDDENCGGEETNDDDENCERS.IR
WWW.IJJGDQIIJK-MIJGDQIIJK-MIJGGDIIJK-MIJGGDIIIJ-MIJJGGDIIIJ-IJJGGDIIIIJ-IERS.IR
WWW.JJFJOXZTRNMG-FJOXXZTRNG-FJJOXZTRRNG-FJOXZZTRNG--FJOXZZTRG--FFJXZZTTRGERS.IR
WWW.YNWSMFZCYFKYYWSMFFZCYFYYWSSMFZCYYFYYWSMFZZCYYYYWSMFZZCCYYYWSSMFZCCYYYERS.IR
WWW.WIUYR-EZNFDRWUYR--EZNFRWUYYR-EZNNFRWUYR-EEZNNFRWYR-EEZZNFRWYYR-EZZNFFERS.IR
WWW.AZJMKHACKCUSAZJMKHACKCUSAZJMKHACKCUSAZJMKHACKCUSAZJMKHACKCUSAZJMKHACKERS.IR
-------------------------------------------------------------------------------

Salam be hamegi :)

Several vulnerabilities have been found in several programs :
*) 5 sql injection bugs in PHP-Nuke
*) Several sql injection and full path disclosure bugs in Joomla 1.5.0 Beta
*) 1 sql injection bug in Mambo 4.6.1 and Joomla 1.0.11
*) 1 sql injection and 1 XSS bugs in Virtuemart 1.0.7
*) 5 sql injection bugs in Xoops 2.0.16 core + weblinks module
*) 3 sql injection and 1 XSS bugs in DocMan 1.3 RC2
*) 2 sql injection bugs in ATutor 1.5.3.2
*) 3 sql injection bugs in Letterman 1.2.3
*) 1 file disclosure bug in WDaemon 9.5.4
*) 3 security bugs in PostNuke 0.764

I tried to ommit dangerous and exploitable details from this advisory, so
some sections are not discribed in details ...

The original advisory (in Persian) is located at :
http://www.hackers.ir/advisories/festival.txt

-------------------------------------------------------------------------------
I) PHP-Nuke :
There are 5 sql injections in PHP-Nuke 7.9 (and maybe other versions including
version 8) :

Three of them exist in 'advertising', 'weblinks' and 'reviews' sections, which
can be dangerous and are not discribed here .
Two others are in admin section :

The 'active' parameter has been passed to "module_status()" function without
proper checking :

File /admin/modules/modules.php, Line 281 :
** module_status($mid, $active);

And in "module_status()" function :

File /admin/modules/modules.php, Line 173 :
** $db->sql_query("update " . $prefix . "_modules set active='$active' where mid='$mid'");

Also the 'ad_class', 'imageurl', 'clickurl', 'ad_code' and 'position' parameters
are not checked properly :

File modules/Advertising/admin/index.php, Line 1131 :
** BannersAdd($name, $cid, $adname, $imptotal, $imageurl, $clickurl, $alttext, $position, $active, $ad_class, $ad_code, $ad_width, $ad_height);

And in "BannersAdd()" function :

File modules/Advertising/admin/index.php, Line 351 :
** $db->sql_query("insert into " . $prefix . "_banner values (NULL, '$cid', '$adname', '$imptotal', '1', '0', '$imageurl', '$clickurl', '$alttext', now(), '00-00-0000 00:00:00', '$position', '$active', '$ad_class', '$ad_code', '$ad_width', '$ad_height')");

The author told me he will fix the bugs for the next version (8.1) .

-------------------------------------------------------------------------------
II) Joomla 1.5.0 Beta :
As Joomla! 1.5.0 Beta default installation has mentioned :
"Joomla! 1.5.0 Beta should NOT to be used for `live` or `production` sites."
So, I can release more details about these bugs :)
There are several sql injection bugs in Joomla 1.5.0 Beta :

The 'searchword' parameter is not checked properly before be used
in the sql query in several files :

In both 'plugins/search/content.php' and 'plugins/search/weblinks.php'
files, the '$where' variable is not checked .

Also, in 'plugins/search/contacts.php', 'plugins/search/categories.php' and
'plugins/search/sections.php' files, the '$text' var is affected. For example :

File plugins/search/sections.php, Line 75 :
:: $query = "SELECT a.name AS title,"
:: . "\n a.description AS text,"
:: . "\n '' AS created,"
:: . "\n '2' AS browsernav,"
:: . "\n a.id AS secid, m.id AS menuid, m.type AS menutype"
:: . "\n FROM #__sections AS a"
:: . "\n LEFT JOIN #__menu AS m ON m.componentid = a.id"
** . "\n WHERE ( a.name LIKE '%$text%'"
** . "\n OR a.title LIKE '%$text%'"
** . "\n OR a.description LIKE '%$text%' )"
:: . "\n AND a.published = 1"
:: . "\n AND a.access <= " .$user->get( 'gid' )
:: . "\n AND ( m.type = 'content_section' OR m.type = 'content_blog_section' )"
:: . "\n GROUP BY a.id"
:: . "\n ORDER BY $order"
:: ;

The search word is limited to 20 characters, so this bug doesnt seem to be
critical .
PoC : http://hacked/index.php?searchword=%25'/**/SQLINJECTION&option=com_search&Itemid=0

Another sql injection exists in "check()" function . The 'email' parameter is
not checked properly :

File libraries/joomla/database/table/user.php, Line 104 :
:: $query = "SELECT id"
:: . "\n FROM #__users "
** . "\n WHERE email = '$this->email'"
:: . "\n AND id != $this->id"
:: ;

This is reachable by normal users, and can be dangerous .

The other sql injection, is the same bug described bellow for Mambo 4.6.1 and
Joomla 1.0.11 . This has been solved in SVN version, but the SVN version has
another sql injection :
The 'catid' parameter is not checked properly in "_buildQuery()" function :

File components/com_weblinks/models/category.php, Line 209 :
:: $query = "SELECT *" .
:: "\n FROM #__weblinks" .
** "\n WHERE catid = $this->_id".
:: "\n AND published = 1" .
:: "\n AND archived = 0".
:: "\n ORDER BY $filter_order $filter_order_dir, ordering";

PoC : http://hacked/index.php?option=com_weblinks&catid=1%20SQLINJECTION

Also, there are several full path disclosure bugs in Joomla 1.5.0 Beta .
Many files call "jimport()" function at the top of the file . So direct access
to these files will expose full path of the script . For example :
http://test/plugins/user/example.php
http://test/plugins/authentication/gmail.php
http://test/plugins/authentication/example.php
http://test/plugins/authentication/ldap.php
http://test/modules/mod_mainmenu/menu.php
..

-------------------------------------------------------------------------------
III) Mambo 4.6.1 and Joomla 1.0.11 (and 1.5 Beta) :
The 'id' parameter can cause sql injection when cancelling content editting .
Other versions maybe affected too .
This problem has been solved in Joomla 1.0.12 .

-------------------------------------------------------------------------------
IV) Virtuemart 1.0.7 :
One sql injection bug exists in Virtuemart 1.0.7 . Also one XSS exists in the
script . Two new versions have been released in a short time .

-------------------------------------------------------------------------------
V) Xoops 2.0.16 + Weblinks module :
There is a sql injection bug in Xoops 2.0.16 core (and maybe other versions) in
admin section:

The 'id' parameter in "get()" function is not checked against sql injections :

File kernel/group.php, Line 94 :
:: function &get($id)
:: {
:: $group = false;
:: if (intval($id) > 0) {
** $sql = 'SELECT * FROM '.$this->db->prefix('groups').' WHERE groupid='.$id;

This one doesnt seem to be critical .

In "Weblinks" module :

The 'lid' parameter in "deleteByLid()" function is not
checked against sql injections :

File class/table_broken.php, Line 58 :
:: function deleteByLid($lid)
:: {
** $sql = "DELETE FROM $this->table WHERE lid=$lid";
:: return $this->query_false($sql);
:: }

Also 3 other sql injections exist which can be exploitable and are not
discribed here . The new version is not released yet .

-------------------------------------------------------------------------------
VI) DocMan 1.3 RC2 :
There are some vulnerabilities in DocMan 1.3 RC2 (and maybe other versions) :
Four sql injection bugs exist in DocMan which two of them can be exploited by
normal users and can be dangerous. Also there is a dangerous XSS in the script.
Another bug is a full path disclosure .
I contacted the project admin, but I received no replies . If anyone knows a
security contact email of the project, plz mail me .

-------------------------------------------------------------------------------
VII) ATutor 1.5.3.2 :
Two sql injections exist in ATutor 1.5.3.2 .
This was reported several days ago and the new version has been released
several days ago ...

-------------------------------------------------------------------------------
VIII) Letterman 1.2.3 :
There are 3 sql injections in Letterman 1.2.3 (and maybe other versions) :

The 'id' parameter in "lm_sendMail()" function is not checked properly
before be used in the sql query :

File components/com_letterman/letterman.class.php, Line 251 :
** $id = mosGetParam( $_POST, "id", '' );

File components/com_letterman/letterman.class.php, Line 452 :
** $database->setQuery( "UPDATE `#__letterman` SET send=NOW() WHERE id=$id" );
:: $database->query();

Other bugs are in "saveNewsletter()" and "cancelNewsletter()" functions .
Again, the 'id' parameter is used without checking . This doesnt work in
Joomla 1.0.12 .

-------------------------------------------------------------------------------
IX ) WDaemon 9.5.4 :
There is a security bug in WDaemon 9.5.4 and some (maybe all) previous
versions . WDaemon, the web server of MDaemon exposes the hosted dll
applications to remote users . I reported this to altn, but an altn staff told
me this is not a security bug . Anyway, the PoC is :
http://mdaemon:3000//WorldClient.dll
Tested versions : WDaemon/7.2.0 , WDaemon/9.0.4 and WDaemon/9.5.4

-------------------------------------------------------------------------------
X ) PostNuke :
3 bugs exist in PostNuke 0.764 .
First, one XSS bug in reviews section, the second is an interesting bug in
rating section and the third, is a full path disclosure in faq section .
The new version is not available , but patched codes are available from :
http://noc.postnuke.com/plugins/scmsvn/viewcvs.php/trunk/Historic/PostNuke7x/html/modules/?root=postnuke

- Omid

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/