what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Secunia Security Advisory 37576

Secunia Security Advisory 37576
Posted Dec 4, 2009
Authored by Secunia | Site secunia.com

Secunia Security Advisory - Nac Mac Feegle has discovered multiple vulnerabilities in Uiga Church Portal, which can be exploited by malicious people to disclose potentially sensitive information, conduct cross-site scripting, script insertion, and SQL injection attacks, bypass certain security restrictions, and compromise a vulnerable system.

tags | advisory, vulnerability, xss, sql injection
SHA-256 | dd3b2338bc8d2dd8a4da3ff5096dd4eeca90dd27c853e1c19d2ac1a5678b2f83

Secunia Security Advisory 37576

Change Mirror Download
----------------------------------------------------------------------

Do you have VARM strategy implemented?

(Vulnerability Assessment Remediation Management)

If not, then implement it through the most reliable vulnerability
intelligence source on the market.

Implement it through Secunia.

For more information visit:
http://secunia.com/advisories/business_solutions/

Alternatively request a call from a Secunia representative today to
discuss how we can help you with our capabilities contact us at:
sales@secunia.com

----------------------------------------------------------------------

TITLE:
Uiga Church Portal Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA37576

VERIFY ADVISORY:
http://secunia.com/advisories/37576/

DESCRIPTION:
Nac Mac Feegle has discovered multiple vulnerabilities in Uiga Church
Portal, which can be exploited by malicious people to disclose
potentially sensitive information, conduct cross-site scripting,
script insertion, and SQL injection attacks, bypass certain security
restrictions, and compromise a vulnerable system.

1) Input passed to the "file_photo_name" parameter in
admin/bible/biblegallery.php, admin/lifegroups/lifegallery.php,
admin/minutes/minutesgallery.php, and
admin/multimedia/multimediagallery.php, the "checkbox" parameter in
admin/news/newsend.php and admin/news/testing.php, the "script[]"
parameter in admin/news/userlist.php, admin/upload/userlist.php, and
head.php, the "file_name" parameter in admin/photos/gallery.php and
gallery.php, the "checkbox[]" and "message" parameters in
admin/special.php, the "pagetitle" parameter in admin/template.php
and include/template.php, the "img" parameter in anniv.php and
famday.php, the "username", "photo_main", "title_desc", "par",
"par1", "par2", and "par3" parameters in archivedetails.php and
ar_det.php, the "email_from", "name_from", "telephone" and "message"
parameters in contact.php, the "title_desc", "photo_main", "par1",
"par2", "par3", and "username" parameters in exhortation.php, the
"script[]" and "pagetitle" parameters in head2.php, the "pagetitle"
parameter in template.php, the "case" parameter in login2.php, the
"file_photo_name" parameter in multimediagallery.php, the "error"
parameter in admin/user/modify.php, the "id" parameter in
admin/time_date.php, the "id", "event_time", "event_name",
"event_id", and "event_desc" parameters in admin/editevent.php, the
"delete_id" parameter in admin/calendar.php, the "id", "a_title", and
"a_details" parameters in admin/announcements/modifynews.php, the
"cid", "image", cat_name", and "cat_desc" parameter in
admin/photos/editcat.php, the "par", "par1", "par2", "par3",
"title_desc", and "username" parameter in
admin/exhortation/exhoredit.php, the "box" paremeter in
admin/photos/edit.php, the "cid", "bib_name", and "bib_image"
parameters in admin/bible/editcat.php, the "cid", "music_name", and
"music_image" parameters in admin/music/editcat.php, the "cid",
"mul_name", and "mul_image" parameters in
admin/multimedia/editcat.php, the "cid", "life_name", and
"life_image" parameters in admin/lifegroups/editcat.php, the "id"
parameter in testimonisview.php, the "delete" parameter in
admin/lifegroups/lifegroups.php, the "id" and "min_name" parameters
in admin/minutes/upload.php, the "id" and "mul_name" parameters in
admin/multimedia/upload.php, the "delete" parameter in
admin/music/music.php, the "list" and "user_id" parameters in
admin/news/uploadfile.php, the "id" and "cat_name" parameters in
admin/photos/upload.php, the "txtuser" and "txtpassword" parameters
in login2.php and admin/login.php, the "testi_image", "testi_name",
"testi_des1", "testi_des2", "testi_des3", "testi_des4", "testi_des5",
"testi_des6", "testi_des7", and "testi_complete" parameters in
testimoniesview.php is not properly sanitised before being returned
to the user. This can be exploited to execute arbitrary HTML and
script code in a user's browser session in context of an affected
site.

2) Input passed via the URL to gallery.php, multimediagallery.php,
and to the "filepaging()" and "paging_update()" functions in
library/functions.php is not properly sanitised before being returned
to the user. This can be exploited to execute arbitrary HTML and
script code in a user's browser session in context of an affected
site.

3) Input passed to the "id" parameter in download.php,
downloadlife.php, downloadminutes.php, downloadmultimedia.php,
downloadmusic.php, multimediagallery.php, photoview.php,
testimoniesview.php, and gallery.php, the "view" parameter in
archivedetails.php, the "day", "month", and "year" parameters in
events.php, the "offset" parameter in gallery.php,
multimediagallery.php, and a_detail.php, the "media" parameter in
"multimediaview.php, the "delete" parameter in music.php, and the
"exhort" parameter in ar_det.php is not properly sanitised before
being used in SQL queries. This can be exploited to manipulate SQL
queries by injecting arbitrary SQL code.

4) Input passed to the "content" parameter in admin/template.php and
include/template.php is not properly verified before being used to
include files. This can be exploited to include arbitrary files from
local or external resources.

5) Input passed to the "bib_image" and "id" parameters in
download.php, the "life_image" parameter in downloadlife.php, the
"min_image" parameter in downloadminutes.php, the "mul_image" and
"id" parameters in downloadmultimedia.php, and the "music_image" and
"id" parameters in downloadmusic.php is not properly verified before
being used to download files. This can be exploited to e.g. download
arbitrary files via directory traversal attacks.

6) The application does not properly restrict access to the
admin/bible/biblegallery.php, admin/lifegroups/lifegallery.php,
admin/minutes/minutesgallery.php,
admin/multimedia/multimediagallery.php, admin/news/mail.php,
admin/news/processUpload.php, admin/photos/gallery.php,
admin/upload/download.php, admin/upload/processUpload.php,
admin/user/download.php, and admin/user/processUpload.php scripts.
This can be exploited to e.g. conduct SQL injection attacks or upload
and execute malicious PHP files.

7) A backdoor exists in the application (admin/news/error.php) and
can be exploited to e.g. execute arbitrary shell commands.

8) The "checkClientUser()" function does not properly check for valid
user sessions, which can be exploited to bypass the authentication
mechanism.

9) The application allows users to perform certain actions via HTTP
requests without performing any validity checks to verify the
request. This can be exploited to perform actions with the privileges
of a target user, who is tricked into visiting a malicious website.

10) Input passed via the "txtname", "txtcontact", or "txtevents" to
special_event.php is not properly sanitised before being displayed to
the user. This can be exploited to inject arbitrary HTML and script
code, which will be executed in a user's browser session in context
of an affected site when the malicious data is viewed.

11) The application does not properly restrict access to
multimediaview.php and ar_det.php, which can be exploited to access
restricted content without valid user credentials.

The vulnerabilities are confirmed in a version downloaded on
2009-12-04. Other versions may also be affected.

SOLUTION:
Use another product.

PROVIDED AND/OR DISCOVERED BY:
Nac Mac Feegle

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/advisories/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------

Login or Register to add favorites

File Archive:

November 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    16 Files
  • 2
    Nov 2nd
    17 Files
  • 3
    Nov 3rd
    17 Files
  • 4
    Nov 4th
    11 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    3 Files
  • 8
    Nov 8th
    59 Files
  • 9
    Nov 9th
    12 Files
  • 10
    Nov 10th
    6 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    1 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    9 Files
  • 15
    Nov 15th
    33 Files
  • 16
    Nov 16th
    53 Files
  • 17
    Nov 17th
    11 Files
  • 18
    Nov 18th
    14 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    26 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    10 Files
  • 24
    Nov 24th
    9 Files
  • 25
    Nov 25th
    11 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close