Lucene search
K

kereval.tutos.txt

🗓️ 24 Jun 2003 00:00:00Reported by Francois SORINType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 22 Views

Multiple vulnerabilities in Tutos enable Cross Site Scripting attacks. Risk is medium/high.

Code
`=================================================  
Kereval Security Advisory [KSA-001]  
  
Multiple vulnerabilities in Tutos  
=================================================  
  
PROGRAM: Tutos  
HOMEPAGE: http://www.tutos.org  
VULNERABLE VERSIONS: 1.1  
RISK: Medium/High  
IMPACT: Cross Site Scripting  
RELEASE DATE: 2003-06-20  
  
=================================================  
TABLE OF CONTENTS  
=================================================  
  
1..........................................................DESCRIPTION  
2..............................................................DETAILS  
3.............................................................EXPLOITS  
4............................................................SOLUTIONS  
5...........................................................WORKAROUND  
6........................................................VENDOR STATUS  
7..............................................................CREDITS  
8...........................................................DISCLAIMER  
9...........................................................REFERENCES  
10............................................................FEEDBACK  
  
1. DESCRIPTION  
=================================================  
  
"TUTOS is a tool to manage the the organizational needs of small  
groups, teams, departments ...  
To do this it provides some web-based tools"  
  
(direct quote from http://www.tutos.org)  
  
  
2. DETAILS  
=================================================  
  
¤ Cross Site Scripting :  
  
Many exploitable bugs was found in Tutos which cause script  
execution on client's computer by following a crafted url.  
  
This kind of attack known as "Cross-Site Scripting Vulnerability"  
is present in many section of the web site, an attacker can input  
specially crafted links and/or other malicious scripts.  
  
An attacker can upload a file and execute it on the client's computer.  
The browser IE can execute a HTML page without extension.  
  
  
3. EXPLOITS  
=================================================  
  
¤ Cross Site Scripting :  
  
http://[target]/tutos/file/file_select.php?msg=<hostile code>  
  
All url with attribute msg...  
  
The hostile code could be :  
  
[script]alert("Cookie="+document.cookie)[/script]  
  
(open a window with the cookie of the visitor.)  
  
(replace [] by <>)  
  
¤ Upload a file with a malicious script  
  
We can upload via http://[target]/tutos/file/file_new.php?link_id=1065  
  
The path is http://[target]/tutos/repository/[project number]/[file  
number]/FILE  
  
  
4. SOLUTIONS  
=================================================  
  
The Problem is solved for all new releases where the given <hostile  
code> is strictly interpreted as NON-HTML code by TUTOS. And most  
messages are stored in the sessiondata and no longer in URLs (there was  
also a problem with too long URLs)  
  
The version that implements this is available via CVS as BRANCH-1-1  
How to get CVS is described on <https://sourceforge.net/cvs/?group_id=8047>  
  
  
5. WORKAROUND  
=================================================  
  
¤ Cross Site Scripting :  
  
Use the function php eregi_replace to filter the input data.  
  
  
6. VENDOR STATUS  
=================================================  
  
2003-06-20 The vendor has reportedly been notified.  
2003-06-23 Response from the vendor with solution.  
  
  
7. CREDITS  
=================================================  
  
Discovered by François SORIN <[email protected]>  
  
  
8. DISLAIMER  
=================================================  
  
The information within this paper may change without notice. Use of  
this information constitutes acceptance for use in an AS IS condition.  
There are NO warranties with regard to this information. In no event  
shall the author be liable for any damages whatsoever arising out of  
or in connection with the use or spread of this information. Any use  
of this information is at the user's own risk.  
  
  
9. REFERENCES  
=================================================  
  
http://www.security-corporation.com  
  
  
10. FEEDBACK  
=================================================  
  
Please send suggestions, updates, and comments to:  
  
Kereval  
Immeuble Le Gallium  
80, avenue des Buttes de Coesmes  
35700 RENNES - FRANCE  
[email protected]  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

24 Jun 2003 00:00Current
7.4High risk
Vulners AI Score7.4
22