[KSA-005] Multiple vulnerabilities in Tutos

2004-04-14T00:00:00
ID SECURITYVULNS:DOC:6069
Type securityvulns
Reporter Securityvulns
Modified 2004-04-14T00:00:00

Description

================================================= Kereval Security Advisory [KSA-005]

Multiple vulnerabilities in Tutos

PROGRAM: Tutos HOMEPAGE: http://www.tutos.org VULNERABLE VERSIONS: 1.1.20031017 RISK: Medium/High IMPACT: Cross Site Scripting / Path Disclosure / SQL Injection RELEASE DATE: 2004-01-13

================================================= TABLE OF CONTENTS =================================================

1..........................................................DESCRIPTION 2..............................................................DETAILS 3.............................................................EXPLOITS 4............................................................SOLUTIONS 5...........................................................WORKAROUND 6........................................................VENDOR STATUS 7..............................................................CREDITS 8...........................................................DISCLAIMER 9...........................................................REFERENCES 10............................................................FEEDBACK

1. DESCRIPTION

"TUTOS is a tool to manage the the organizational needs of small groups, teams, departments ... To do this it provides some web-based tools"

(direct quote from http://www.tutos.org)

2. DETAILS

  • Cross Site Scripting :

Many exploitable bugs was found in Tutos which cause script execution on client's computer by following a crafted url.

This kind of attack known as "Cross-Site Scripting Vulnerability" is present in many section of the web site, an attacker can input specially crafted links and/or other malicious scripts.

  • Path Disclosure

These vulnerabilities would allow a remote user to determine the full path to the web root directory and other potentially sensitive information. This vulnerability can be triggered by a remote user submitting a specially crafted HTTP request.

3. EXPLOITS

  • Cross Site Scripting :

In many Tutos forms for create new items like : - http://[tutos]/php/company_new.php - http://[tutos]/php/app_new.php - http://[tutos]/php/task_new.php - http://[tutos]/php/[xxxx]_new.php

The hostile code could be :

[script]alert("Cookie="+document.cookie)[/script]

(open a window with the cookie of the visitor)

(replace [] by <>)

  • Path Disclosure / SQL Injection

The affected page is note_overview.php : http://[tutos]/php/note/note_overview.php?id=1;

The navigator display :

Detail : SELECT DISTINCT n.* FROM notes n WHERE n.id = 1; ORDER by creation DESC

TUTOS Version: 1.1.20030715 PHP Version: "xxx" PHP Config: "xxx" APACHE Version: "xxx" Browser: "xxx" DB User : tutos DB Alias : TUTOS database URL: /tutos/php/note/note_overview.php Request: /tutos/php/note/note_overview.php?id=1; Called by: "xxx" ... (and the directory structure)

There is a SQL Injection risk but the exploit code need to be find.

4. SOLUTIONS

Upgrade your Tutos version to 1.1.20040412.

5. WORKAROUND

  • Cross Site Scripting :

Use the function php eregi_replace to filter the input data.

6. VENDOR STATUS

2004-01-13 Vulnerability discovered 2004-01-13 The vendor has reportedly been notified 2004-01-16 First response - Working on the security fixes 2004-04-12 Bugfix update (version 1.1.20040412) 2004-04-13 Public disclosure

7. CREDITS

Discovered by François SORIN <francois.sorin@kereval.com>

8. DISLAIMER

The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

9. REFERENCES

  • Original Version: http://www.kereval.com/a,20040413100957.html

10. FEEDBACK

Please send suggestions, updates, and comments to:

Kereval Immeuble Le Gallium 80, avenue des Buttes de Coesmes 35700 RENNES - FRANCE info@kereval.com