Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

JGI CMS 1.0 - Multiple Vulnerabilities

🗓️ 12 Sep 2017 00:00:00Reported by RenziType 
zdt
 zdt🔗 0day.today👁 31 Views

JGI CMS 1.0 Directory Traversal and XSS Vulnerabilities. Insecure file handling and script source code lea

Code
JGI CMS 1.0 - Multiple Vulnerabilities

1----------------------------------

A Directory Traversal vulnerability has been discovered in the JCI CMS  web-application.
The vulnerability is located in the 'arquivo' parameter of the`dl.php` action GET method request.

Request Method(s):

[+] GET

Vulnerable Function(s):

[+] dl.php

Vulnerable Parameter(s):

[+] arquivo

Proof of Concept (PoC):
========================
A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. 
By manipulating variables that reference files with adot-dot-slash (../)a sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. 
It should be noted that access to files is limited by system operational access control. [OWASP]

[+] http://www.abq.org.br/dl.php?arquivo=../../../../../../../../../../etc/passwd

Solution 
=========
There are several measures that enterprises can take to prevent directory traversal attacks and vulnerabilities. 
For starters, programmers should be trained to validate user input from browsers. 
Input validation ensures that attackers cannot use commands that leave the root directory or violate other access privileges. 
Beyond this, filters can be used to block certain user input. 
Enterprises typically employ filters to block URLs containing commands and escape codes that are commonly used by attackers. 
Additionally, web server software (and any software that is used) should be kept up-to-date with current patches. 
Regularly patching software is a critical practice for reducing security risk, as software patches typically contain security fixes. [Veracode]


2----------------------------------


Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. 
XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. 
Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
An attacker can use XSS to send a malicious script to an unsuspecting user. 
The end useras browser has no way to know that the script should not be trusted, and will execute the script. 
Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. 
These scripts can even rewrite the content of the HTML page.[OWASP]
 
http://www.abq.org.br/cbq/2010/busca.html?wvstest=javascript:domxssExecutionSink(1,"'\"><script>alert(123)</script>")


Solution 
=========
For the prevention of Cross Site Scripting, some steps must be taken:
Never enter untrusted data except in places defined for this purpose. 
The principle of this rule is to deny everything and mainly not to digest JavaScript code from an unknown source and then execute it.
Validate the escape characters before inserting them inside the HTML element. Failure to validate inputs may allow malicious code to be injected into the application.
Validate the parameters of the URL and verify information that it sends in HTTP requests, it escapes hexadecimal in URLs such as %25, where 25 is the ASCII code of the character "%".

3----------------------------------

It is possible to read the source code of this script by using script filename as a parameter. 
It seems that this script includes a file which name is determined using user-supplied data. 
This data is not properly validated before being passed to the include function.

[+] http://www.abq.org.br/dl.php?arquivo=dl.php

Solution 
=========
For starters, programmers should be trained to validate user input from browsers. 
Input validation ensures that attackers cannot use commands that leave the root directory or violate other access privileges. 
Beyond this, filters can be used to block certain user input. 
Enterprises typically employ filters to block URLs containing commands and escape codes that are commonly used by attackers. 
Additionally, web server software (and any software that is used) should be kept up-to-date with current patches. 
Regularly patching software is a critical practice for reducing security risk, as software patches typically contain security fixes.

#  0day.today [2018-03-14]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
12 Sep 2017 00:00Current
7.1High risk
Vulners AI Score7.1
directory traversalxssinsecure file handlingscript source codeinput validation
31