Home page logo

fulldisclosure logo Full Disclosure mailing list archives

(no subject)
From: CodeScan Labs Advisories <advisories () codescan com>
Date: Tue, 19 Jan 2010 15:07:48 +1300


= CodeScan Advisory, codescan.com <advisories () codescan com>
= Multiple vulnerablities in Xoops 2.4.3
= Vendor Website:
= http://www.xoops.org
= Affected Version:
=    Xoops 2.4.3 And Earlier
= Researched By
=    CodeScan Labs <advisories () codescan com>
= Public disclosure on January 19th, 2010

== Overview ==

CodeScan Labs (www.codescan.com), has recently released a new source
code scanning tool, CodeScan. CodeScan is an advanced auditing tool
designed to check web application source code for security vulnerabilities.
CodeScan utilises an intelligent source code parsing engine, traversing
execution paths and tracking the flow of user supplied input.

During the ongoing testing of CodeScan ASP, Xoops was selected as one of 
the test applications. We downloaded Xoops from the Xoops website 
http://sourceforge.net/projects/xoops/files/XOOPS Core (stable releases)/XOOPS 2.4.3/.

This advisory is the result of research into the security of Xoops,
based on the report generated by the CodeScan tool.

== Vulnerability Details ==

* File Deletion through unlink *

The unlink function is used by a web page to delete a file on the web server.
The unlink function was found to be used with user input:


Although the filter functions like str_replace are used:

        $oldsmile_path = str_replace("\\", "/", realpath(XOOPS_UPLOAD_PATH.'/'.trim($_POST['old_smile'])));

It is not a strong enough for CodeScan Developer to count it as a filter.
It is potentially dangerous for user to have direct input of what to delete, 
dependent on the access and permission the user holds.  It is recommended 
that user permissions and access are constrained to prevent exploitation.

* HTTP Response Splitting via Header *

Codescan Developer has identified that the application header has the 
$redirect variable involved with a user input with no validators or 
restrictions, or custom filters function.

        $redirect = trim($_GET['xoops_redirect']);
        header('Location: ' . $redirect);

It is potentially dangerous at this point where a malicious user could inject 
malicious codes into the header; next time a user accesses the page, can 
cause it to execute that malicious code.

== Credit ==

Discovered and advised to the vendor by CodeScan Labs

== About CodeScan Labs Ltd ==

CodeScan Labs is a specialist security research and development
organisation, that has developed the cornerstone application, CodeScan.
CodeScan Labs helps organisations secure their web services through the
automated scanning of the web application source code for security
vulnerabilities.  The CodeScan product is currently available for ASP, 

CodeScan Labs operates with Responsible Disclosure. As a result,
any published advisories will contain information around problems
identified by CodeScan, that have been resolved by the vendor.Additional
code problems which may be identified by CodeScan or its staff which are
not resolved by the vendor will not be made publicly available.

This message has been scanned for viruses and
dangerous content by Bizo EmailFilter, and is
believed to be clean.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • (no subject) CodeScan Labs Advisories (Jan 19)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]