---------------------------------------------------------------------- Use WSUS to deploy 3rd party patches Public BETA http://secunia.com/vulnerability_scanning/corporate/wsus_3rd_third_party_patching/ ---------------------------------------------------------------------- TITLE: Limny Multiple Vulnerabilities SECUNIA ADVISORY ID: SA39014 VERIFY ADVISORY: http://secunia.com/advisories/39014/ DESCRIPTION: Some vulnerabilities and security issues have been discovered in Limny, which can be exploited by malicious users to conduct script insertion and SQL injection attacks and by malicious people to conduct SQL injection attacks, cross-site scripting attacks, or to bypass certain security restrictions. 1) Input passed via the "q" parameter to index.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. 2) Input passed via the "theme" and the "language" parameters to index.php (when "q" is set to "user") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. 3) Input passed via the "tags" and "category" parameters to index.php (when "q" is set to "admin/modules/post/new") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation of this vulnerability requires permissions to create new posts. 4) Input passed while submitting user generated forms is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. 5) Input passed via the "name" parameter to index.php (when "q" is set to "admin/modules/form/elements") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation of this vulnerability requires permissions to edit form elements. 6) Input passed via the "pageslinksby", "itemsseperator", and "datetimetype" parameters to index.php (when "q" is set to "admin/modules/page/options") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation of this vulnerability requires permissions to edit page options. 7) Input passed via the "numberofposts", "numberofpages", "showsummaryinfullview", "postlinksby", "itemsseperator", "postsseperator", and "datetimetype" parameters to index.php (when "q" is set to "admin/modules/post/options") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation of this vulnerability requires permissions to edit post options. Successful exploitation of vulnerabilities #1 through #7 requires that "magic_quotes_gpc" is disabled. 8) Input passed via the "email" parameter to index.php while posting comments is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 9) Input passed via the "content" parameter to index.php (when "q" is set to "admin/modules/block/new") is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed. Successful exploitation of this vulnerability requires permissions to create new blocks. 10) Input passed via the "name" parameter to index.php (when "q" is set to "admin/modules/navigation") is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed. Successful exploitation of this vulnerability requires permissions to create new navigation items. 11) Input passed via the "text" parameter to index.php (when "q" is set to "admin/modules/page/new") is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed. Successful exploitation of this vulnerability requires permissions to create new pages. 12) Input passed via the "summary" and "text" parameters to index.php (when "q" is set to "admin/modules/post/new") is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed. Successful exploitation of this vulnerability requires permissions to create new posts. 13) Input passed while submitting user generated forms is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed. 14) A security issue is caused due to predictable generation of the confirmation code within the "Forgot password" mechanism in modules/user/forgotpw.php. This can be exploited to reset the password of a valid user using a predicted confirmation code. 15) Predictable generation of the verification code within the "Sign up" mechanism in modules/user/signup.php can be exploited to bypass email verification and create arbitrary users using a predicted verification code. 16) Input passed to the "block[title]" and "block[content]" parameters in themes/gray/block.php, "settings[footer]", and "settings[version]" parameters in themes/gray/footer.php, "settings[site]" and "settings[title]" parameters in themes/gray/header.php, "lang[direction]", "page[title]", "settings[title]", "lang[encoding]", and "settings[version]" parameters in themes/gray/page.php is not properly sanitised before being returned to the user in. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Successful exploitation of this vulnerability requires that "register_globals" is enabled. The vulnerabilities are confirmed in version 2.01. Other versions may also be affected. SOLUTION: Edit the source code to ensure that input is properly sanitised. Restrict access to the "Forgot password" and "Sign up" mechanisms. PROVIDED AND/OR DISCOVERED BY: Moist von Lipwig ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------