TUCoPS :: Web :: Apps :: b06-2612.htm

Open Searchable Image Catalogue: XSS and SQL Injection Vulnerabilities
Open Searchable Image Catalogue: XSS and SQL Injection Vulnerabilities
Open Searchable Image Catalogue: XSS and SQL Injection Vulnerabilities


============================================================0D
Open Searchable Image Catalogue: XSS and SQL Injection Vulnerabilities=0D
============================================================0D
Technical University of Vienna Security Advisory=0D
TUVSA-0605-001, May 30, 2006=0D
============================================================0D
=0D
=0D
Affected applications=0D
----------------------=0D
=0D
Open Searchable Image Catalogue (http://cosp.wordpress.com/tag/osic, http://sourceforge.net/projects/osic-win)=0D 
=0D
Versions 0.7 and prior.=0D
=0D
=0D
Description=0D
------------=0D
=0D
There are a number of cross site scripting (XSS) vulnerabilities that are caused by the second echo statement in function do_mysql_query (core.php, line 544). If a database query fails for some reason, the query is reflected back to the user. Here are a few points where this situation can be exploited (if register_globals is active and if the current user is logged in as admin):=0D
=0D
adminfunctions.php, line 531=0D
http://localhost/osic07/admin.php?action=manageusers&username=neweviluser&password=xyz&confpass=xyz&realname='&type==0D 
=0D
adminfunctions.php, line 561=0D
http://localhost/osic07/admin.php?action=manageusers&id=777&username=neweviluser&password=xyz&confpass=xyz&realname='&type==0D 
=0D
editcatalogue.php, line 523=0D
http://localhost/osic07/admin.php?action=editcatalogue&op=additems&catalogue_id='&uploaded=true&submit=true&AddRemaining=true=0D 
[there has to be at least one file with a valid extension in the uploads directory]=0D
=0D
editcatalogue.php, line 581=0D
http://localhost/osic07/admin.php?action=editcatalogue&op=additems&catalogue_id=777&uploaded=true&submit=true&catalogue_id='=0D 
=0D
The above vulnerabilities are also SQL Injection vulnerabilities.=0D
=0D
Some analogous cases in search.php:=0D
=0D
search.php, line 120:=0D
The $query variable can contain malicious user input due to the assignments on lines 90-112.=0D
=0D
search.php, line 152:=0D
$cf_query is tainted by $cfid, which is tainted by $tempCustomFieldID, which is tainted by $HTTP_POST_VARS (line 138).=0D
=0D
search.php, lines 243-250:=0D
There are calls to getValueFromID with $item_list as parameter, which can be controlled by an attacker.=0D
=0D
=0D
Solution=0D
---------=0D
=0D
The authors have responded to our message quickly and have released version 0.7.0.1, which fixes the above issues.=0D
=0D
Timeline:=0D
=0D
March 30, 2006:=0D
- Vulnerabilities reported to Chris Goerner.=0D
- Response and release of fixed version.=0D
- Advisory submission.=0D
=0D
=0D
References=0D
-----------=0D
=0D
http://www.seclab.tuwien.ac.at/advisories/TUVSA-0605-001.txt=0D 
=0D
=0D
Nenad Jovanovic=0D
Secure Systems Lab =0D
Technical University of Vienna =0D
www.seclab.tuwien.ac.at=0D

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH