AOH :: HP Unsorted M :: VA1438.HTM

moziloWiki - Directory Traversal, XSS and SessionFixation Issues



moziloWiki - Directory Traversal, XSS and SessionFixation Issues
moziloWiki - Directory Traversal, XSS and SessionFixation Issues



[MajorSecurity Advisory #56]moziloWiki - Directory Traversal, XSS and SessionFixation Issues=0D
=0D
Details=0D
========0D
Product: moziloWiki=0D
Security-Risk: High=0D
Remote-Exploit: yes=0D
Vendor-URL: http://www.mozilo.de/=0D 
Vendor-Status: informed=0D
Advisory-Status: published=0D
=0D
Credits=0D
=============0D
Discovered by: David Vieira-Kurz=0D
http://www.majorsecurity.de=0D 
=0D
Affected Products:=0D
----------------------------=0D
moziloWiki 1.0.1 and prior=0D
=0D
Original Advisory:=0D
=============0D
http://www.majorsecurity.de/index_2.php?major_rls=major_rls56=0D 
=0D
Introduction=0D
=============0D
moziloWiki is an easy to handle wiki system.=0D
=0D
More Details=0D
=============0D
1. Directory Traversal:=0D
----------------------=0D
Affected files:=0D
print.php -> page parameter=0D
=0D
Acquiring access to known files outside of the web root and current directory=0D
is possible through directory traversal techniques.=0D
This is made possible through the use of "../../" in a HTTP request.=0D
=0D
2. Cross Site Scripting:=0D
----------------------=0D
Affected files:=0D
index.php -> action parameter=0D
index.php -> page parameter=0D
=0D
Affected parameters are not being properly sanitised before being returned to the user.=0D
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.=0D
=0D
3. session fixation:=0D
---------------------=0D
The "PHPSESSID" parameter can be set to a malicious and arbitrary value.=0D
=0D
3.1 Description:=0D
In a session fixation attack, the attacker fixes the user's session ID before the user even logs into the target server.=0D
After a user's session ID has been fixed, the attacker will wait for them to login.=0D
Once the user does so, the attacker uses the predefined session ID value to assume their online identity.=0D
=0D
3.2 PoC:=0D
=============0D
http://localhost/mozilowiki/?PHPSESSID=15031988=0D 
=0D
4. Workaround:=0D
=================0D
Update to mozilowiki 1.0.2=0D
=0D
History/Timeline=0D
=================0D
17.09.2008 discovery of the vulnerabilities=0D
18.09.2008 additional tests with other versions=0D
19.09.2008 contacted the vendor=0D
20.09.2008 vendor confirmed vulnerabilities=0D
27.09.2008 vendor released patch=0D
29.09.2008 advisory is written=0D
30.09.2008 advisory released=0D
=0D
=0D
MajorSecurity=0D
=================0D
MajorSecurity is a German penetrationtesting and security research company which focuses=0D
on web application security. We offer professional penetrationtestings and reliable proof=0D
of concepts.=0D
You will find more Information about MajorSecurity at=0D
http://www.majorsecurity.de/penetrationstest/penetrationtest.php 

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.