Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:17874
HistoryAug 22, 2007 - 12:00 a.m.

Ripe Website Manager SQL Injection and Cross Site Scripting Vulnerabilities

2007-08-2200:00:00
vulners.com
27
JSON

Ripe Website Manager SQL Injection and Cross Site Scripting Vulnerabilities

OS2A ID: OS2A_1009 Status:
07/11/2007 Issue Discovered
07/12/2007 Reported to the Vendor
08/22/2007 Public Release

Class: SQL Injection and Cross Site Scripting Severity: High

Overview:

Ripe Website Manager is a web based website CMS (Content Management System).
It allows you to create/edit your website pages.

Description:

SQL Injection and Cross-site scripting vulnerabilities exists in Ripe Website
Manager, which can be exploited by malicious users to conduct script insertion
and SQL injection attacks.

The input passed to these parameters are not properly sanitized,

  • id parameter in 'admin/pages/delete_page.php',
    'admin/navigation/delete_menu.php' and 'delete_item.php'
  • new_menuname parameter in 'admin/navigation/do_new_nav.php',
  • url and name parameters in 'admin/navigation/new_nav_item.php' and
  • area1, name parameters in 'admin/pages/do_new_page.php'

Impact:

Successful exploitation allows an attacker to execute arbitrary script,
steal cookie related information in the context of an affected web site
and execute sql queries.

To exploit this, an attacker should have login credentials.

Affected Software(s):

Ripe Website Manager 0.8.9 and prior

Proof of Concept:

After logging in as valid user,
SQL Injection:
http://example.com/admin/pages/delete_page.php?id=0 or 1=1

XSS:
Go to the http://www.example.com/admin/pages/new_page.php
and insert <script>alert("XSS")</script> in 'Title' field or
'textarea' field.
OR
Go to the http://www.example.com/admin/navigation/new_nav_item.php
and insert <script>alert("XSS")</script> in 'Name' or 'Link to url'
fields.

Analysis:

  1. Vulnerable portion of code in Ripe/admin/pages/delete_page.php,
    admin/navigation/delete_item.php and delete_menu.php

     $id = $_GET[&#39;id&#39;];

  2. Vulnerable portion of code in Ripe/admin/navigation/do_new_item.php

     $menu_id=$_POST[&#39;menu_id&#39;];
 $name=$_POST[&#39;name&#39;];
 $page_id=$_POST[&#39;page_id&#39;];
 $url=$_POST[&#39;url&#39;];

  3. Vulnerable portion of code in Ripe/admin/navigation/do_new_nav.php

     $new_menuname=$_POST[&#39;new_menuname&#39;];

  4. Vulnerable portion of code in Ripe/admin/pages/do_new_page.php

     $area1=$_POST[&#39;area1&#39;];
 $name=$_POST[&#39;name&#39;];
 $url=$_POST[&#39;url&#39;];

CVSS Score Report:

ACCESS_VECTOR          = NETWORK 
ACCESS_COMPLEXITY      = LOW 
AUTHENTICATION         = SINGLE INSTANCE 
CONFIDENTIALITY_IMPACT = PARTIAL 
INTEGRITY_IMPACT       = PARTIAL 
AVAILABILITY_IMPACT    = PARTIAL 
EXPLOITABILITY         = PROOF_OF_CONCEPT 
REMEDIATION_LEVEL      = OFFICIAL_FIX 
REPORT_CONFIDENCE      = CONFIRMED 
CVSS Base Score        = 6.5 &#40;AV:N/AC:L/Au:SI/C:P/I:P/A:P&#41; 
CVSS Temporal Score    = 5.1 
Risk factor            = High

Solution:

Upgrade to the latest version 0.8.10 of Ripe Web Site Manager. The design
change implemented ensures that other users do not have permission to perform
the above operations.

Credits:

Nagendra Kumar G and Arun Kethipelly of OS2A have been credited with the
discovery for these vulnerabilities.

JSON