This is an old revision of the document!
Security Vulnerabilities
2009:1029-2 >> MPR Module Exploits
Cross site scripting can be achieved by modifying the URL in Sahana to inject foreign code into the page:
http://sahana/index.php?mod=mpr&act=search&type=all>%22%27><img%20src%3d%22http:www.google.com/intl/en_ALL/images/logo.gif%22>
Phishing can be done through an IFrame also via URL modifications:
http://sahana/index.php?mod=mpr&act=search&type=all'“><iframe%20src=http://demo.testfire.net>
Link Injection can also be achieved:
http://sahana/index.php?mod=mpr&act=search&type=”'><IMG%20SRC=“/WF_XSRF.html”>
Code commits:
rel_0_6 »
trunk »
==2009:1029-1 » Session Fixation Exploit==
In some cases an anonymous user could fake a PHPSESSID by modifying a local cookie and having Sahana use this as the new PHPSESSID. Old session keys were not being purged from the database when a user logs out. A user could brute force, social engineer, or use a cross-site browser exploit to achieve possession of an old session key and use this to authenticate to Sahana.
Fixes:
Anonymous users are no longer able to inject a PHPSESSID as we regen a new PHPSESSID with every page view. Thus, the only way to authenticate into Sahana is through the login process. We also delete old session id's from the database when a user logs out, reducing the risk of old session keys remaining to 0.
More on this exploit here:
http://shiflett.org/articles/session-fixation
Code commits:
rel_0_6 » http://sahana.cvs.sourceforge.net/viewvc/sahana/sahana-phase2/inc/lib_session/handler_session.inc?revision=1.12.4.1&view=markup
trunk » http://sahana.cvs.sourceforge.net/viewvc/sahana/sahana-phase2/inc/lib_session/handler_session.inc?revision=1.16&view=markup
==2009:1019 » Null character URL Exploit==
We have run Sahana through some of our security analysis software and identified a severe security vulnerability. It occurs when a misformed URL is sent to Sahana with a null character in the string. Example:
http://sahana/index.php?stream=text&mod=/../../../../../../../../../../../etc/passwd%00
This allows an attacker to essentially access any file on the web server. A patch has been committed to the trunk to check for null characters in the filename and remove them before opening the file.
To patch a Sahana site already in place, add the following line:
fixes the security vulnerability associated with null characters in the $module string
$module = str_replace("\0", "", $module);
Right before this line:
// identify the correct module file based on action and module $module_file = $APPROOT.'mod/'.$module.'/main.inc';
This issue can also be followed here with direct links to patches : https://sourceforge.net/tracker/index.php?func=detail&aid=2908356&group_id=127855&atid=709778