Secunia Security Advisory - Nac Mac Feegle has discovered multiple vulnerabilities in Uiga Church Portal, which can be exploited by malicious people to disclose potentially sensitive information, conduct cross-site scripting, script insertion, and SQL injection attacks, bypass certain security restrictions, and compromise a vulnerable system.
dd3b2338bc8d2dd8a4da3ff5096dd4eeca90dd27c853e1c19d2ac1a5678b2f83
----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
For more information visit:
http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to
discuss how we can help you with our capabilities contact us at:
sales@secunia.com
----------------------------------------------------------------------
TITLE:
Uiga Church Portal Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA37576
VERIFY ADVISORY:
http://secunia.com/advisories/37576/
DESCRIPTION:
Nac Mac Feegle has discovered multiple vulnerabilities in Uiga Church
Portal, which can be exploited by malicious people to disclose
potentially sensitive information, conduct cross-site scripting,
script insertion, and SQL injection attacks, bypass certain security
restrictions, and compromise a vulnerable system.
1) Input passed to the "file_photo_name" parameter in
admin/bible/biblegallery.php, admin/lifegroups/lifegallery.php,
admin/minutes/minutesgallery.php, and
admin/multimedia/multimediagallery.php, the "checkbox" parameter in
admin/news/newsend.php and admin/news/testing.php, the "script[]"
parameter in admin/news/userlist.php, admin/upload/userlist.php, and
head.php, the "file_name" parameter in admin/photos/gallery.php and
gallery.php, the "checkbox[]" and "message" parameters in
admin/special.php, the "pagetitle" parameter in admin/template.php
and include/template.php, the "img" parameter in anniv.php and
famday.php, the "username", "photo_main", "title_desc", "par",
"par1", "par2", and "par3" parameters in archivedetails.php and
ar_det.php, the "email_from", "name_from", "telephone" and "message"
parameters in contact.php, the "title_desc", "photo_main", "par1",
"par2", "par3", and "username" parameters in exhortation.php, the
"script[]" and "pagetitle" parameters in head2.php, the "pagetitle"
parameter in template.php, the "case" parameter in login2.php, the
"file_photo_name" parameter in multimediagallery.php, the "error"
parameter in admin/user/modify.php, the "id" parameter in
admin/time_date.php, the "id", "event_time", "event_name",
"event_id", and "event_desc" parameters in admin/editevent.php, the
"delete_id" parameter in admin/calendar.php, the "id", "a_title", and
"a_details" parameters in admin/announcements/modifynews.php, the
"cid", "image", cat_name", and "cat_desc" parameter in
admin/photos/editcat.php, the "par", "par1", "par2", "par3",
"title_desc", and "username" parameter in
admin/exhortation/exhoredit.php, the "box" paremeter in
admin/photos/edit.php, the "cid", "bib_name", and "bib_image"
parameters in admin/bible/editcat.php, the "cid", "music_name", and
"music_image" parameters in admin/music/editcat.php, the "cid",
"mul_name", and "mul_image" parameters in
admin/multimedia/editcat.php, the "cid", "life_name", and
"life_image" parameters in admin/lifegroups/editcat.php, the "id"
parameter in testimonisview.php, the "delete" parameter in
admin/lifegroups/lifegroups.php, the "id" and "min_name" parameters
in admin/minutes/upload.php, the "id" and "mul_name" parameters in
admin/multimedia/upload.php, the "delete" parameter in
admin/music/music.php, the "list" and "user_id" parameters in
admin/news/uploadfile.php, the "id" and "cat_name" parameters in
admin/photos/upload.php, the "txtuser" and "txtpassword" parameters
in login2.php and admin/login.php, the "testi_image", "testi_name",
"testi_des1", "testi_des2", "testi_des3", "testi_des4", "testi_des5",
"testi_des6", "testi_des7", and "testi_complete" parameters in
testimoniesview.php is not properly sanitised before being returned
to the user. This can be exploited to execute arbitrary HTML and
script code in a user's browser session in context of an affected
site.
2) Input passed via the URL to gallery.php, multimediagallery.php,
and to the "filepaging()" and "paging_update()" functions in
library/functions.php is not properly sanitised before being returned
to the user. This can be exploited to execute arbitrary HTML and
script code in a user's browser session in context of an affected
site.
3) Input passed to the "id" parameter in download.php,
downloadlife.php, downloadminutes.php, downloadmultimedia.php,
downloadmusic.php, multimediagallery.php, photoview.php,
testimoniesview.php, and gallery.php, the "view" parameter in
archivedetails.php, the "day", "month", and "year" parameters in
events.php, the "offset" parameter in gallery.php,
multimediagallery.php, and a_detail.php, the "media" parameter in
"multimediaview.php, the "delete" parameter in music.php, and the
"exhort" parameter in ar_det.php is not properly sanitised before
being used in SQL queries. This can be exploited to manipulate SQL
queries by injecting arbitrary SQL code.
4) Input passed to the "content" parameter in admin/template.php and
include/template.php is not properly verified before being used to
include files. This can be exploited to include arbitrary files from
local or external resources.
5) Input passed to the "bib_image" and "id" parameters in
download.php, the "life_image" parameter in downloadlife.php, the
"min_image" parameter in downloadminutes.php, the "mul_image" and
"id" parameters in downloadmultimedia.php, and the "music_image" and
"id" parameters in downloadmusic.php is not properly verified before
being used to download files. This can be exploited to e.g. download
arbitrary files via directory traversal attacks.
6) The application does not properly restrict access to the
admin/bible/biblegallery.php, admin/lifegroups/lifegallery.php,
admin/minutes/minutesgallery.php,
admin/multimedia/multimediagallery.php, admin/news/mail.php,
admin/news/processUpload.php, admin/photos/gallery.php,
admin/upload/download.php, admin/upload/processUpload.php,
admin/user/download.php, and admin/user/processUpload.php scripts.
This can be exploited to e.g. conduct SQL injection attacks or upload
and execute malicious PHP files.
7) A backdoor exists in the application (admin/news/error.php) and
can be exploited to e.g. execute arbitrary shell commands.
8) The "checkClientUser()" function does not properly check for valid
user sessions, which can be exploited to bypass the authentication
mechanism.
9) The application allows users to perform certain actions via HTTP
requests without performing any validity checks to verify the
request. This can be exploited to perform actions with the privileges
of a target user, who is tricked into visiting a malicious website.
10) Input passed via the "txtname", "txtcontact", or "txtevents" to
special_event.php is not properly sanitised before being displayed to
the user. This can be exploited to inject arbitrary HTML and script
code, which will be executed in a user's browser session in context
of an affected site when the malicious data is viewed.
11) The application does not properly restrict access to
multimediaview.php and ar_det.php, which can be exploited to access
restricted content without valid user credentials.
The vulnerabilities are confirmed in a version downloaded on
2009-12-04. Other versions may also be affected.
SOLUTION:
Use another product.
PROVIDED AND/OR DISCOVERED BY:
Nac Mac Feegle
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------