exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

OS2A_1009.txt

OS2A_1009.txt
Posted Aug 23, 2007
Authored by Arun Kethipelly, Nagendra Kumar G

The Ripe Website Manager versions 0.8.9 and below suffer from cross site scripting and SQL injection vulnerabilities.

tags | exploit, vulnerability, xss, sql injection
SHA-256 | 95773f2cddbb5b6ee24c32dbaac520a253e14fc033b883d64c6c1bc97af70364

OS2A_1009.txt

Change Mirror Download
Ripe Website Manager SQL Injection and Cross Site Scripting Vulnerabilities


OS2A ID: OS2A_1009 Status:
07/11/2007 Issue Discovered
07/12/2007 Reported to the Vendor
08/22/2007 Public Release


Class: SQL Injection and Cross Site Scripting Severity: High


Overview:
---------
Ripe Website Manager is a web based website CMS (Content Management System).
It allows you to create/edit your website pages.


Description:
------------
SQL Injection and Cross-site scripting vulnerabilities exists in Ripe Website
Manager, which can be exploited by malicious users to conduct script insertion
and SQL injection attacks.

The input passed to these parameters are not properly sanitized,
- id parameter in 'admin/pages/delete_page.php',
'admin/navigation/delete_menu.php' and 'delete_item.php'
- new_menuname parameter in 'admin/navigation/do_new_nav.php',
- url and name parameters in 'admin/navigation/new_nav_item.php' and
- area1, name parameters in 'admin/pages/do_new_page.php'


Impact:
-------
Successful exploitation allows an attacker to execute arbitrary script,
steal cookie related information in the context of an affected web site
and execute sql queries.

To exploit this, an attacker should have login credentials.


Affected Software(s):
---------------------
Ripe Website Manager 0.8.9 and prior


Proof of Concept:
-----------------
After logging in as valid user,
SQL Injection:
http://example.com/admin/pages/delete_page.php?id=0 or 1=1

XSS:
Go to the http://www.example.com/admin/pages/new_page.php
and insert <script>alert("XSS")</script> in 'Title' field or
'textarea' field.
OR
Go to the http://www.example.com/admin/navigation/new_nav_item.php
and insert <script>alert("XSS")</script> in 'Name' or 'Link to url'
fields.


Analysis:
---------

1. Vulnerable portion of code in Ripe/admin/pages/delete_page.php,
admin/navigation/delete_item.php and delete_menu.php

$id = $_GET['id'];

2. Vulnerable portion of code in Ripe/admin/navigation/do_new_item.php

$menu_id=$_POST['menu_id'];
$name=$_POST['name'];
$page_id=$_POST['page_id'];
$url=$_POST['url'];

3. Vulnerable portion of code in Ripe/admin/navigation/do_new_nav.php

$new_menuname=$_POST['new_menuname'];

4. Vulnerable portion of code in Ripe/admin/pages/do_new_page.php

$area1=$_POST['area1'];
$name=$_POST['name'];
$url=$_POST['url'];


CVSS Score Report:
------------------
ACCESS_VECTOR = NETWORK
ACCESS_COMPLEXITY = LOW
AUTHENTICATION = SINGLE INSTANCE
CONFIDENTIALITY_IMPACT = PARTIAL
INTEGRITY_IMPACT = PARTIAL
AVAILABILITY_IMPACT = PARTIAL
EXPLOITABILITY = PROOF_OF_CONCEPT
REMEDIATION_LEVEL = OFFICIAL_FIX
REPORT_CONFIDENCE = CONFIRMED
CVSS Base Score = 6.5 (AV:N/AC:L/Au:SI/C:P/I:P/A:P)
CVSS Temporal Score = 5.1
Risk factor = High


Solution:
-----------
Upgrade to the latest version 0.8.10 of Ripe Web Site Manager. The design
change implemented ensures that other users do not have permission to perform
the above operations.


Credits:
-----------
Nagendra Kumar G and Arun Kethipelly of OS2A have been credited with the
discovery for these vulnerabilities.
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close