Kartoo Search Engine XSS / Remote File Inclusion

2013.11.20
Risk: High
Local: No
Remote: Yes
CWE: CWE-79
CWE-22


CVSS Base Score: 5.1/10
Impact Subscore: 6.4/10
Exploitability Subscore: 4.9/10
Exploit range: Remote
Attack complexity: High
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

================================================================== KARTOO SEARCH ENGINE XSS / PHP allow_url_fopen enabled / PHP allow_url_inlude enable /Security vulnerability in <<MySQL/MariaDB sql/password.c >> / Sensitive Files Information Disclosure / =================================================================== 06-11-2013 Security Advisory (.com and pl.kartoo.com) 07-11-2013 Ask About the Issues -> Not Reponse 16-11-2013 Ask About the Issues-> Not Fixed 19-11-2013 Full Disclosure I. VULNERABILITY ------------------------- #Title: KARTOO SEARCH ENGINE XSS / PHP allow_url_fopen enabled / PHP allow_url_inlude enable / Security vulnerability in <<MySQL/MariaDB sql/password.c>> / PHPinfo Information Disclosure / Sensitive File Information Disclosure #Vendor:http://kartoo.com / ( & pl.kartoo.com) #Author:Juan Carlos Garca (@secnight) #Follow me http://asap-sec.com Twitter:@secnight II. DESCRIPTION ------------------------- KartOO was a meta search engine which displayed a visual interface. It operated from 2001 to early 2010. KartOO had an Adobe Flash GUI, as opposed to a text-based list of results. Its color scheme was to a degree reminiscent of Apple Computer's Aqua interface. Search results were presented as a "map", with blob-like masses of varying color connecting each item. On rollover of an individual result a bunch of red lines connected related links. If one began their search with a general topic, KartOO sometimes helped to narrow it down. Every "blob" clicked added another word to the search query. The map would often succeed in presenting keywords or subtopics that defined the topic one was searching on, very much like an interactive spider diagram. III. PROOF OF CONCEPT *********************** Cross Site Scripting *************************** Vulnerability description ---------------------------- This script is possibly vulnerable to Cross Site Scripting (XSS) attacks. Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser. The impact of this vulnerability ---------------------------------- Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user Attack details -------------- This vulnerability affects /suggest/add-site.htm. URL encoded POST input description was set to 1'"()&%<ScRiPt >prompt(904962)</ScRiPt> categorie=4&code=&description=1%27%22%28%29%26%25%3cScRiPt%20%3eprompt%28904962%29%3c%2fScRiPt%3e&email=sample%40email.tst&linkr=directory%20%26%20search%20engine&securite=1&titre=Mr.&url=1 URL encoded POST input description was set to 1'"()&%<ScRiPt >prompt(904962)</ScRiPt> categorie=4&code=&description=1%27%22%28%29%26%25%3cScRiPt%20%3eprompt%28904962%29%3c%2fScRiPt%3e&email=sample%40email.tst&linkr=directory%20%26%20search%20engine&securite=1&titre=Mr.&url=1 URL encoded POST input email was set to sample%40email.tst" onmouseover=prompt(905055) bad=" The input is reflected inside a tag parameter between double quotes. POST /suggest/add-site.htm categorie=4&code=&description=1&email=sample%2540email.tst%22%20onmouseover%3dprompt%28905055%29%20bad%3d%22&linkr=directory%20%26%20search%20engine&securite=1&titre=Mr.&url=1 URL encoded POST input titre was set to Mr." onmouseover=prompt(999303) bad=" categorie=4&code=&description=1&email=sample%40email.tst&linkr=directory%20%26%20search%20engine&securite=1&titre=Mr.%22%20onmouseover%3dprompt%28999303%29%20bad%3d%22&url=1 URL encoded POST input url was set to 1" onmouseover=prompt(918225) bad=" PHP allow_url_fopen enabled *************************** http://kartoo.com http://pl.kartoo.com Vulnerability description ------------------------- The PHP configuration directive allow_url_fopen is enabled. When enabled, this directive allows data retrieval from remote locations (web site or FTP server). A large number of code injection vulnerabilities reported in PHP-based web applications are caused by the combination of enabling allow_url_fopen and bad input filtering. allow_url_fopen is enabled by default. Affected items --------------- /test.php The impact of this vulnerability --------------------------------- Application dependant - possible remote file inclusion. How to fix this vulnerability -------------------------------- You can disable allow_url_fopen from php.ini or .htaccess. php.ini allow_url_fopen = 'off' .htaccess php_flag allow_url_fopen off PHP allow_url_include enabled ***************************** http://kartoo.com http://pl.kartoo.com Vulnerability description ------------------------- The PHP configuration directive allow_url_include is enabled. When enabled, this directive allows data retrieval from remote locations (web site or FTP server) for functions like fopen and file_get_contents. If user input is not properly validated, this can conduct to remote file inclusion vulnerabilities. allow_url_include is disabled by default. If allow_url_fopen is disabled, allow_url_include is also disabled. This setting is only available since PHP 5.2. Affected items ----------------- /test.php The impact of this vulnerability -------------------------------- Application dependant - possible remote file inclusion. How to fix this vulnerability ------------------------------ You can disable allow_url_include from php.ini or .htaccess. php.ini allow_url_include = 'off' .htaccess php_flag allow_url_include off PHPinfo page found ******************** http://kartoo.com http://pl.kartoo.com Vulnerability description -------------------------- PHPinfo page has been found in this directory. The PHPinfo page outputs a large amount of information about the current state of PHP. This includes information about PHP compilation options and extensions, the PHP version, server information and environment (if compiled as a module), the PHP environment, OS version information, paths, master and local values of configuration options, HTTP headers, and the PHP License. Affected items ---------------- /test.php The impact of this vulnerability --------------------------------- This file may expose sensitive information that may help an malicious user to prepare more advanced attacks. How to fix this vulnerability -------------------------------- Remove the file from production systems. sensitive files ***************** Vulnerability description ---------------------------- A sensitive file has been found. This file is not directly linked from the website. This check looks for common sensitive resources like password files, configuration files, log files, include files, statistics data, database dumps. Each one of these files could help an attacker to learn more about his target. This vulnerability affects /error_log. GET /error_log Security vulnerability in MySQL/MariaDB sql/password.c ****************************************************** http://pl.kartoo.com Vulnerability description -------------------------- Sergei Golubchik posted to the oss-sec mailing list about a recently patched security flaw (CVE-2012-2122) in the MySQL and MariaDB database servers. When a user connects to MariaDB/MySQL, a token (SHA over a password and a random scramble string) is calculated and compared with the expected value. Because of incorrect casting, it might've happened that the token and the expected value were considered equal, even if the memcmp() returned a non-zero value. In this case MySQL/MariaDB would think that the password is correct, even while it is not. Because the protocol uses random strings, the probability of hitting this bug is about 1/256. Which means, if one knows a user name to connect (and "root" almost always exists), she can connect using *any* password by repeating connection attempts. ~300 attempts takes only a fraction of second, so basically account password protection is as good as nonexistent. Affected versions: All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable. MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not. MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not. Affected items -------------- /test.php The impact of this vulnerability ----------------------------------- An attacker can bypass MySQL authentication. How to fix this vulnerability --------------------------------- Upgrade to the latest version of MySQL. PHP configuration file (php.ini) ********************************* Vulnerability description ----------------------------- The php.ini file contains all the configuration for how PHP is parsed on a server. It can contain default database usernames, passwords, hostnames, IP addresses, ports, initialization of global variables and other information. Since it is found by default in /etc, you might be able to find a lot more unrelated information in the same directory. This vulnerability affects /php.ini. inurl:php.ini filetype:ini V SOLUTION ------------------------ (...) VI. CREDITS ------------------------- This vulnerability has been discovered by Juan Carlos Garca(@secnight) VII. LEGAL NOTICES ------------------------- The Author accepts no responsibility for any damage caused by the use or misuse of this information.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top