what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Secunia Security Advisory 39014

Secunia Security Advisory 39014
Posted Mar 19, 2010
Authored by Secunia | Site secunia.com

Secunia Security Advisory - Some vulnerabilities and security issues have been discovered in Limny, which can be exploited by malicious users to conduct script insertion and SQL injection attacks and by malicious people to conduct SQL injection attacks, cross-site scripting attacks, or to bypass certain security restrictions.

tags | advisory, vulnerability, xss, sql injection
SHA-256 | 70e92ff72d13ec34f4193fc626e8b7e8e748ea0677d28246aacb452a9bb2805c

Secunia Security Advisory 39014

Change Mirror Download
----------------------------------------------------------------------


Use WSUS to deploy 3rd party patches

Public BETA
http://secunia.com/vulnerability_scanning/corporate/wsus_3rd_third_party_patching/


----------------------------------------------------------------------

TITLE:
Limny Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA39014

VERIFY ADVISORY:
http://secunia.com/advisories/39014/

DESCRIPTION:
Some vulnerabilities and security issues have been discovered in
Limny, which can be exploited by malicious users to conduct script
insertion and SQL injection attacks and by malicious people to
conduct SQL injection attacks, cross-site scripting attacks, or to
bypass certain security restrictions.

1) Input passed via the "q" parameter to index.php is not properly
sanitised before being used in SQL queries. This can be exploited to
manipulate SQL queries by injecting arbitrary SQL code.

2) Input passed via the "theme" and the "language" parameters to
index.php (when "q" is set to "user") is not properly sanitised
before being used in SQL queries. This can be exploited to manipulate
SQL queries by injecting arbitrary SQL code.

3) Input passed via the "tags" and "category" parameters to index.php
(when "q" is set to "admin/modules/post/new") is not properly
sanitised before being used in SQL queries. This can be exploited to
manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation of this vulnerability requires permissions to
create new posts.

4) Input passed while submitting user generated forms is not properly
sanitised before being used in SQL queries. This can be exploited to
manipulate SQL queries by injecting arbitrary SQL code.

5) Input passed via the "name" parameter to index.php (when "q" is
set to "admin/modules/form/elements") is not properly sanitised
before being used in SQL queries. This can be exploited to manipulate
SQL queries by injecting arbitrary SQL code.

Successful exploitation of this vulnerability requires permissions to
edit form elements.

6) Input passed via the "pageslinksby", "itemsseperator", and
"datetimetype" parameters to index.php (when "q" is set to
"admin/modules/page/options") is not properly sanitised before being
used in SQL queries. This can be exploited to manipulate SQL queries
by injecting arbitrary SQL code.

Successful exploitation of this vulnerability requires permissions to
edit page options.

7) Input passed via the "numberofposts", "numberofpages",
"showsummaryinfullview", "postlinksby", "itemsseperator",
"postsseperator", and "datetimetype" parameters to index.php (when
"q" is set to "admin/modules/post/options") is not properly sanitised
before being used in SQL queries. This can be exploited to manipulate
SQL queries by injecting arbitrary SQL code.

Successful exploitation of this vulnerability requires permissions to
edit post options.

Successful exploitation of vulnerabilities #1 through #7 requires
that "magic_quotes_gpc" is disabled.

8) Input passed via the "email" parameter to index.php while posting
comments is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a
user's browser session in context of an affected site.

9) Input passed via the "content" parameter to index.php (when "q" is
set to "admin/modules/block/new") is not properly sanitised before
being displayed to the user. This can be exploited to insert
arbitrary HTML and script code, which will be executed in a user's
browser session in context of an affected site when the malicious
data is being viewed.

Successful exploitation of this vulnerability requires permissions to
create new blocks.

10) Input passed via the "name" parameter to index.php (when "q" is
set to "admin/modules/navigation") is not properly sanitised before
being displayed to the user. This can be exploited to insert
arbitrary HTML and script code, which will be executed in a user's
browser session in context of an affected site when the malicious
data is being viewed.

Successful exploitation of this vulnerability requires permissions to
create new navigation items.

11) Input passed via the "text" parameter to index.php (when "q" is
set to "admin/modules/page/new") is not properly sanitised before
being displayed to the user. This can be exploited to insert
arbitrary HTML and script code, which will be executed in a user's
browser session in context of an affected site when the malicious
data is being viewed.

Successful exploitation of this vulnerability requires permissions to
create new pages.

12) Input passed via the "summary" and "text" parameters to index.php
(when "q" is set to "admin/modules/post/new") is not properly
sanitised before being displayed to the user. This can be exploited
to insert arbitrary HTML and script code, which will be executed in a
user's browser session in context of an affected site when the
malicious data is being viewed.

Successful exploitation of this vulnerability requires permissions to
create new posts.

13) Input passed while submitting user generated forms is not
properly sanitised before being displayed to the user. This can be
exploited to insert arbitrary HTML and script code, which will be
executed in a user's browser session in context of an affected site
when the malicious data is being viewed.

14) A security issue is caused due to predictable generation of the
confirmation code within the "Forgot password" mechanism in
modules/user/forgotpw.php. This can be exploited to reset the
password of a valid user using a predicted confirmation code.

15) Predictable generation of the verification code within the "Sign
up" mechanism in modules/user/signup.php can be exploited to bypass
email verification and create arbitrary users using a predicted
verification code.

16) Input passed to the "block[title]" and "block[content]"
parameters in themes/gray/block.php, "settings[footer]", and
"settings[version]" parameters in themes/gray/footer.php,
"settings[site]" and "settings[title]" parameters in
themes/gray/header.php, "lang[direction]", "page[title]",
"settings[title]", "lang[encoding]", and "settings[version]"
parameters in themes/gray/page.php is not properly sanitised before
being returned to the user in. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context
of an affected site.

Successful exploitation of this vulnerability requires that
"register_globals" is enabled.

The vulnerabilities are confirmed in version 2.01. Other versions may
also be affected.

SOLUTION:
Edit the source code to ensure that input is properly sanitised.
Restrict access to the "Forgot password" and "Sign up" mechanisms.

PROVIDED AND/OR DISCOVERED BY:
Moist von Lipwig

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/advisories/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close