Ripe Website Manager SQL Injection and Cross Site Scripting Vulnerabilities

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1052902 漏洞类型
发布时间 2007-08-27 更新时间 2007-08-27
CVE编号 CVE-2007-4523
CVE-2007-4522
CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2007080123
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
Refer to the advisory...

OS2A
Ripe Website Manager SQL Injection and Cross Site Scripting Vulnerabilities

OS2A ID: OS2A_1009					Status:

07/11/2007 Issue Discovered

07/12/2007 Reported to the Vendor

08/22/2007 Public Release

Class: SQL Injection and Cross Site Scripting		Severity: High

Overview:

---------

Ripe Website Manager is a web based website CMS (Content Management System).

It allows you to create/edit your website pages.

Description:

------------

SQL Injection and Cross-site scripting vulnerabilities exists in Ripe Website

Manager, which can be exploited by malicious users to conduct script insertion

and SQL injection attacks.

The input passed to these parameters are not properly sanitized,

- id parameter in 'admin/pages/delete_page.php',

'admin/navigation/delete_menu.php' and 'delete_item.php'

- new_menuname parameter in 'admin/navigation/do_new_nav.php',

- url and name parameters in 'admin/navigation/new_nav_item.php' and

- area1, name parameters in 'admin/pages/do_new_page.php'

Impact:

-------

Successful exploitation allows an attacker to execute arbitrary script,

steal cookie related information in the context of an affected web site

and execute sql queries.

To exploit this, an attacker should have login credentials.

Affected Software(s):

---------------------

Ripe Website Manager 0.8.9 and prior

Proof of Concept:

-----------------

After logging in as valid user,

SQL Injection:

http://example.com/admin/pages/delete_page.php?id=0 or 1=1

XSS:

Go to the http://www.example.com/admin/pages/new_page.php

and insert <script>alert("XSS")</script> in 'Title' field or

'textarea' field.

OR

Go to the http://www.example.com/admin/navigation/new_nav_item.php

and insert <script>alert("XSS")</script> in 'Name' or 'Link to url'

fields.

Analysis:

---------

1. Vulnerable portion of code in Ripe/admin/pages/delete_page.php,

admin/navigation/delete_item.php and delete_menu.php

$id = $_GET['id'];

2. Vulnerable portion of code in Ripe/admin/navigation/do_new_item.php

$menu_id=$_POST['menu_id'];

$name=$_POST['name'];

$page_id=$_POST['page_id'];

$url=$_POST['url'];

3. Vulnerable portion of code in Ripe/admin/navigation/do_new_nav.php

$new_menuname=$_POST['new_menuname'];

4. Vulnerable portion of code in Ripe/admin/pages/do_new_page.php

$area1=$_POST['area1'];

$name=$_POST['name'];

$url=$_POST['url'];

CVSS Score Report:

------------------

ACCESS_VECTOR          = NETWORK

ACCESS_COMPLEXITY      = LOW

AUTHENTICATION         = SINGLE INSTANCE

CONFIDENTIALITY_IMPACT = PARTIAL

INTEGRITY_IMPACT       = PARTIAL

AVAILABILITY_IMPACT    = PARTIAL

EXPLOITABILITY         = PROOF_OF_CONCEPT

REMEDIATION_LEVEL      = OFFICIAL_FIX

REPORT_CONFIDENCE      = CONFIRMED

CVSS Base Score        = 6.5 (AV:N/AC:L/Au:SI/C:P/I:P/A:P)

CVSS Temporal Score    = 5.1

Risk factor            = High

Solution:

-----------

Upgrade to the latest version 0.8.10 of Ripe Web Site Manager. The design

change implemented ensures that other users do not have permission to perform

the above operations.

Credits:

-----------

Nagendra Kumar G and Arun Kethipelly of OS2A have been credited with the

discovery for these vulnerabilities.