Habari Blog – Multiple Vulnerabilities

• Exploit Database
• 8 阅读

• 作者： High-Tech Bridge SA
  日期： 2010-12-21
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/15799/

• Vulnerability ID: HTB22732
  Reference: http://www.htbridge.ch/advisory/path_disclosure_in_habari.html
  Product: Habari
  Vendor: Habari ( http://habariproject.org/en/ ) 
  Vulnerable Version: 0.6.5
  Vendor Notification: 02 December 2010 
  Vulnerability Type: Path disclosure
  Status: Fixed by Vendor
  Risk level: Low 
  Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/) 
  
  Vulnerability Details:
  The vulnerability exists due to failure in the "/system/admin/header.php" & "/system/admin/comments_items.php" script, it's possible to generate an error that will reveal the full path of the script.
  A remote user can determine the full path to the web root directory and other potentially sensitive information.
  
  Attacker can use browser to exploit this vulnerability. The following PoC is available:
  
  http://[host]/system/admin/header.php
  http://[host]/system/admin/comments_items.php
  
  Solution: Upgrade to the most recent version
  
  
  Vulnerability Details:
  User can execute arbitrary JavaScript code within the vulnerable application.
  
  The vulnerability exists due to failure in the "/system/admin/dash_status.php" script to properly sanitize user-supplied input in "status_data" variable when register_globals is on. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.
  
  Attacker can use browser to exploit this vulnerability. The following PoC is available:
  
  http://habari/system/admin/dash_status.php?status_data[1]=<script>alert('XSS');</script>
  
  Solution: Upgrade to the most recent version
  
  
  Vulnerability Details:
  User can execute arbitrary JavaScript code within the vulnerable application.
  
  The vulnerability exists due to failure in the "/system/admin/dash_additem.php" script to properly sanitize user-supplied input in "additem_form" variable when register_globals is on. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.
  
  Attacker can use browser to exploit this vulnerability. The following PoC is available:
  
  http://[host]/system/admin/dash_additem.php?additem_form=<script>alert('XSS');</script>
  
  Solution: Upgrade to the most recent version