SQLiteManager v1.2.0 Multiple Vulnerabilities

2007-02-26T00:00:00
ID SECURITYVULNS:DOC:16188
Type securityvulns
Reporter Securityvulns
Modified 2007-02-26T00:00:00

Description

SQLiteManager v1.2.0 Multiple Vulnerabilities

vendor : http://www.sqlitemanager.org/ Global risk : High


SQLite is a SQL managed portal like PhpMyAdmin.

Multiple Cross Scripting Vulnerabilities

In main.php the database name field is vulnerable to a XSS attack. This xss is permanent, if a user with restricted rights creates a table with as name a malicious code the administrator gone get his cookie stealed when he opens SqliteManager's index. The same things happens for the table's name field if a malicious code is inserted.

The solution is then to use htmlentities().

others vulnerables fields to XSS attacks :

main.php : ............... ViewName ............... view ............... trigger ............... function ............... (...)

Theses vulnerabilities are presents in others pages too. Here too the better solution is to use htmlentities().

reference : www.php.net/htmlentities

Locale File Include

GET /home/sqlite/ HTTP/1.0 [...] Cookie: PHPSESSID=[...];SQLiteManager_currentTheme=../../../../../../../../../../../../../etc/passwd%00; SQLiteManager_currentLangue=deleted

SQLiteManager_currentTheme variable is vulnerable. This request will returns the /etc/passwd file.

This vulnerability is dangerous, indeed a user with restricted access to SqliteManage could get non-authorized files.

Regards,

Simon Bonnard - 24/02/2007 Contact : simon.itsecurity[at]gmail[dot]com