Secunia Security Advisory - Some vulnerabilities and security issues have been discovered in Limny, which can be exploited by malicious users to conduct script insertion and SQL injection attacks and by malicious people to conduct SQL injection attacks, cross-site scripting attacks, or to bypass certain security restrictions.
70e92ff72d13ec34f4193fc626e8b7e8e748ea0677d28246aacb452a9bb2805c
----------------------------------------------------------------------
Use WSUS to deploy 3rd party patches
Public BETA
http://secunia.com/vulnerability_scanning/corporate/wsus_3rd_third_party_patching/
----------------------------------------------------------------------
TITLE:
Limny Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA39014
VERIFY ADVISORY:
http://secunia.com/advisories/39014/
DESCRIPTION:
Some vulnerabilities and security issues have been discovered in
Limny, which can be exploited by malicious users to conduct script
insertion and SQL injection attacks and by malicious people to
conduct SQL injection attacks, cross-site scripting attacks, or to
bypass certain security restrictions.
1) Input passed via the "q" parameter to index.php is not properly
sanitised before being used in SQL queries. This can be exploited to
manipulate SQL queries by injecting arbitrary SQL code.
2) Input passed via the "theme" and the "language" parameters to
index.php (when "q" is set to "user") is not properly sanitised
before being used in SQL queries. This can be exploited to manipulate
SQL queries by injecting arbitrary SQL code.
3) Input passed via the "tags" and "category" parameters to index.php
(when "q" is set to "admin/modules/post/new") is not properly
sanitised before being used in SQL queries. This can be exploited to
manipulate SQL queries by injecting arbitrary SQL code.
Successful exploitation of this vulnerability requires permissions to
create new posts.
4) Input passed while submitting user generated forms is not properly
sanitised before being used in SQL queries. This can be exploited to
manipulate SQL queries by injecting arbitrary SQL code.
5) Input passed via the "name" parameter to index.php (when "q" is
set to "admin/modules/form/elements") is not properly sanitised
before being used in SQL queries. This can be exploited to manipulate
SQL queries by injecting arbitrary SQL code.
Successful exploitation of this vulnerability requires permissions to
edit form elements.
6) Input passed via the "pageslinksby", "itemsseperator", and
"datetimetype" parameters to index.php (when "q" is set to
"admin/modules/page/options") is not properly sanitised before being
used in SQL queries. This can be exploited to manipulate SQL queries
by injecting arbitrary SQL code.
Successful exploitation of this vulnerability requires permissions to
edit page options.
7) Input passed via the "numberofposts", "numberofpages",
"showsummaryinfullview", "postlinksby", "itemsseperator",
"postsseperator", and "datetimetype" parameters to index.php (when
"q" is set to "admin/modules/post/options") is not properly sanitised
before being used in SQL queries. This can be exploited to manipulate
SQL queries by injecting arbitrary SQL code.
Successful exploitation of this vulnerability requires permissions to
edit post options.
Successful exploitation of vulnerabilities #1 through #7 requires
that "magic_quotes_gpc" is disabled.
8) Input passed via the "email" parameter to index.php while posting
comments is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a
user's browser session in context of an affected site.
9) Input passed via the "content" parameter to index.php (when "q" is
set to "admin/modules/block/new") is not properly sanitised before
being displayed to the user. This can be exploited to insert
arbitrary HTML and script code, which will be executed in a user's
browser session in context of an affected site when the malicious
data is being viewed.
Successful exploitation of this vulnerability requires permissions to
create new blocks.
10) Input passed via the "name" parameter to index.php (when "q" is
set to "admin/modules/navigation") is not properly sanitised before
being displayed to the user. This can be exploited to insert
arbitrary HTML and script code, which will be executed in a user's
browser session in context of an affected site when the malicious
data is being viewed.
Successful exploitation of this vulnerability requires permissions to
create new navigation items.
11) Input passed via the "text" parameter to index.php (when "q" is
set to "admin/modules/page/new") is not properly sanitised before
being displayed to the user. This can be exploited to insert
arbitrary HTML and script code, which will be executed in a user's
browser session in context of an affected site when the malicious
data is being viewed.
Successful exploitation of this vulnerability requires permissions to
create new pages.
12) Input passed via the "summary" and "text" parameters to index.php
(when "q" is set to "admin/modules/post/new") is not properly
sanitised before being displayed to the user. This can be exploited
to insert arbitrary HTML and script code, which will be executed in a
user's browser session in context of an affected site when the
malicious data is being viewed.
Successful exploitation of this vulnerability requires permissions to
create new posts.
13) Input passed while submitting user generated forms is not
properly sanitised before being displayed to the user. This can be
exploited to insert arbitrary HTML and script code, which will be
executed in a user's browser session in context of an affected site
when the malicious data is being viewed.
14) A security issue is caused due to predictable generation of the
confirmation code within the "Forgot password" mechanism in
modules/user/forgotpw.php. This can be exploited to reset the
password of a valid user using a predicted confirmation code.
15) Predictable generation of the verification code within the "Sign
up" mechanism in modules/user/signup.php can be exploited to bypass
email verification and create arbitrary users using a predicted
verification code.
16) Input passed to the "block[title]" and "block[content]"
parameters in themes/gray/block.php, "settings[footer]", and
"settings[version]" parameters in themes/gray/footer.php,
"settings[site]" and "settings[title]" parameters in
themes/gray/header.php, "lang[direction]", "page[title]",
"settings[title]", "lang[encoding]", and "settings[version]"
parameters in themes/gray/page.php is not properly sanitised before
being returned to the user in. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context
of an affected site.
Successful exploitation of this vulnerability requires that
"register_globals" is enabled.
The vulnerabilities are confirmed in version 2.01. Other versions may
also be affected.
SOLUTION:
Edit the source code to ensure that input is properly sanitised.
Restrict access to the "Forgot password" and "Sign up" mechanisms.
PROVIDED AND/OR DISCOVERED BY:
Moist von Lipwig
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------