=================================================================================================================================================================
KARTOO SEARCH ENGINE XSS / PHP allow_url_fopen enabled / PHP allow_url_inlude enable /Security vulnerability in <<MySQL/MariaDB sql/password.c >> / Sensitive Files Information Disclosure / 
=================================================================================================================================================================


06-11-2013 Security Advisory (.com and pl.kartoo.com)
07-11-2013 Ask About the Issues -> Not Reponse
16-11-2013 Ask About the Issues-> Not Fixed
19-11-2013 Full Disclosure


I. VULNERABILITY
-------------------------

#Title: KARTOO SEARCH ENGINE XSS / PHP allow_url_fopen enabled / PHP allow_url_inlude enable / Security vulnerability in <<MySQL/MariaDB sql/password.c>> / PHPinfo Information Disclosure / Sensitive File Information Disclosure 

#Vendor:http://kartoo.com / ( & pl.kartoo.com)

#Author:Juan Carlos García (@secnight)

#Follow me 

http://asap-sec.com

Twitter:@secnight

II. DESCRIPTION
-------------------------

KartOO was a meta search engine which displayed a visual interface. It operated from 2001 to early 2010.

KartOO had an Adobe Flash GUI, as opposed to a text-based list of results. Its color scheme was to a degree reminiscent of Apple Computer's Aqua interface.

Search results were presented as a "map", with blob-like masses of varying color connecting each item. On rollover of an individual result a bunch of red lines connected related links. 

If one began their search with a general topic, KartOO sometimes helped to narrow it down. Every "blob" clicked added another word to the search query.

The map would often succeed in presenting keywords or subtopics that defined the topic one was searching on, very much like an interactive spider diagram.


III. PROOF OF CONCEPT
***********************

Cross Site Scripting
***************************

Vulnerability description
----------------------------
This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.

Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user.

Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to
access any cookies or session tokens retained by the browser. 

The impact of this vulnerability
----------------------------------
Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the 

user. It is also possible to modify the content of the page presented to the user

Attack details
--------------

This vulnerability affects /suggest/add-site.htm. 

URL encoded POST input description was set to 1'"()&%<ScRiPt >prompt(904962)</ScRiPt>

categorie=4&code=&description=1%27%22%28%29%26%25%3cScRiPt%20%3eprompt%28904962%29%3c%2fScRiPt%3e&email=sample%40email.tst&linkr=directory%20%26%20search%20engine&securite=1&titre=Mr.&url=1


URL encoded POST input description was set to 1'"()&%<ScRiPt >prompt(904962)</ScRiPt>

categorie=4&code=&description=1%27%22%28%29%26%25%3cScRiPt%20%3eprompt%28904962%29%3c%2fScRiPt%3e&email=sample%40email.tst&linkr=directory%20%26%20search%20engine&securite=1&titre=Mr.&url=1


URL encoded POST input email was set to sample%40email.tst" onmouseover=prompt(905055) bad="

The input is reflected inside a tag parameter between double quotes.

POST /suggest/add-site.htm 

categorie=4&code=&description=1&email=sample%2540email.tst%22%20onmouseover%3dprompt%28905055%29%20bad%3d%22&linkr=directory%20%26%20search%20engine&securite=1&titre=Mr.&url=1


URL encoded POST input titre was set to Mr." onmouseover=prompt(999303) bad="

categorie=4&code=&description=1&email=sample%40email.tst&linkr=directory%20%26%20search%20engine&securite=1&titre=Mr.%22%20onmouseover%3dprompt%28999303%29%20bad%3d%22&url=1


URL encoded POST input url was set to 1" onmouseover=prompt(918225) bad="

PHP allow_url_fopen enabled
***************************

http://kartoo.com 
http://pl.kartoo.com

Vulnerability description
-------------------------

The PHP configuration directive allow_url_fopen is enabled. When enabled, this directive allows data retrieval
from remote locations (web site or FTP server). A large number of code injection vulnerabilities reported in PHP-based
web applications are caused by the combination of enabling allow_url_fopen and bad input filtering. 

allow_url_fopen is enabled by default.

Affected items
---------------
/test.php 

The impact of this vulnerability
---------------------------------

Application dependant - possible remote file inclusion.

How to fix this vulnerability
--------------------------------

You can disable allow_url_fopen from php.ini or .htaccess.

php.ini
allow_url_fopen = 'off'

.htaccess
php_flag allow_url_fopen off


PHP allow_url_include enabled
*****************************

http://kartoo.com 
http://pl.kartoo.com

Vulnerability description
-------------------------
The PHP configuration directive allow_url_include is enabled. When enabled, this directive allows data 
retrieval from remote locations (web site or FTP server) for functions like fopen and file_get_contents. 
If user input is not properly validated, this can conduct to remote file inclusion vulnerabilities. 

allow_url_include is disabled by default. If allow_url_fopen is disabled, allow_url_include is also disabled. This setting is only available since PHP 5.2.

Affected items
-----------------

/test.php 

The impact of this vulnerability
--------------------------------

Application dependant - possible remote file inclusion.

How to fix this vulnerability
------------------------------

You can disable allow_url_include from php.ini or .htaccess.

php.ini
allow_url_include = 'off'

.htaccess
php_flag allow_url_include off



PHPinfo page found
********************

http://kartoo.com 
http://pl.kartoo.com

Vulnerability description
--------------------------
PHPinfo page has been found in this directory. The PHPinfo page outputs a large amount of information about the current state of PHP.
This includes information about PHP compilation options and extensions, the PHP version, server information and environment (if compiled as a module),
the PHP environment, OS version information, paths, master and local values of configuration options, HTTP headers, and the PHP License.

Affected items
----------------

/test.php 

The impact of this vulnerability
---------------------------------

This file may expose sensitive information that may help an malicious user to prepare more advanced attacks.

How to fix this vulnerability
--------------------------------

Remove the file from production systems.


sensitive files
*****************

Vulnerability description
----------------------------
A sensitive file has been found. This file is not directly linked from the website. 
This check looks for common sensitive resources like password files, configuration files, log files, include files, statistics data,
database dumps. Each one of these files could help an attacker to learn more about his target.

This vulnerability affects /error_log. 


GET /error_log 


Security vulnerability in MySQL/MariaDB sql/password.c
******************************************************

http://pl.kartoo.com

Vulnerability description
--------------------------

Sergei Golubchik posted to the oss-sec mailing list about a recently patched security flaw (CVE-2012-2122) in the MySQL and MariaDB database servers.
When a user connects to MariaDB/MySQL, a token (SHA over a password and a random scramble string) is calculated and compared with the expected value.
Because of incorrect casting, it might've happened that the token and the expected value were considered equal, even if the memcmp() returned a non-zero value. 
In this case MySQL/MariaDB would think that the password is correct, even while it is not. Because the protocol uses random strings, 
the probability of hitting this bug is about 1/256. Which means, if one knows a user name to connect (and "root" almost always exists),
she can connect using *any* password by repeating connection attempts. ~300 attempts takes only a fraction of second,
so basically account password protection is as good as nonexistent. 

Affected versions:

All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable. 

MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not. 

MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not. 


Affected items
--------------

/test.php 

The impact of this vulnerability
-----------------------------------

An attacker can bypass MySQL authentication.


How to fix this vulnerability
---------------------------------

Upgrade to the latest version of MySQL.


PHP configuration file (php.ini)
*********************************

Vulnerability description
-----------------------------

The php.ini file contains all the configuration for how PHP is parsed on a server.
It can contain default database usernames, passwords, hostnames, IP addresses, ports, initialization of global variables 
and other information. Since it is found by default in /etc, you might be able to find a lot more unrelated information in the same directory. 


This vulnerability affects /php.ini. 

inurl:php.ini filetype:ini


V SOLUTION
------------------------
(...)


VI. CREDITS
-------------------------

This vulnerability has been discovered
by Juan Carlos García(@secnight)


VII. LEGAL NOTICES
-------------------------

The Author accepts no responsibility for any damage
caused by the use or misuse of this information.