Cross site scripting can be achieved by modifying the URL in Sahana to inject foreign code into the page: http://sahana/index.php?mod=mpr&act=search&type=all>%22%27><img%20src%3d%22http:www.google.com/intl/en_ALL/images/logo.gif%22> Phishing can be done through an IFrame also via URL modifications: http://sahana/index.php?mod=mpr&act=search&type=all'“><iframe%20src=http://demo.testfire.net> Link Injection can also be achieved: http://sahana/index.php?mod=mpr&act=search&type=”'><IMG%20SRC=“/WF_XSRF.html”> Code commits:
rel_0_6 »
trunk »
==2009:1029-1 » Session Fixation Exploit== In some cases an anonymous user could fake a PHPSESSID by modifying a local cookie and having Sahana use this as the new PHPSESSID. Old session keys were not being purged from the database when a user logs out. A user could brute force, social engineer, or use a cross-site browser exploit to achieve possession of an old session key and use this to authenticate to Sahana. Fixes: Anonymous users are no longer able to inject a PHPSESSID as we regen a new PHPSESSID with every page view. Thus, the only way to authenticate into Sahana is through the login process. We also delete old session id's from the database when a user logs out, reducing the risk of old session keys remaining to 0. More on this exploit here: http://shiflett.org/articles/session-fixation Code commits:
rel_0_6 » http://sahana.cvs.sourceforge.net/viewvc/sahana/sahana-phase2/inc/lib_session/handler_session.inc?revision=1.12.4.1&view=markup
trunk » http://sahana.cvs.sourceforge.net/viewvc/sahana/sahana-phase2/inc/lib_session/handler_session.inc?revision=1.16&view=markup
==2009:1019 » Null character URL Exploit== We have run Sahana through some of our security analysis software and identified a severe security vulnerability. It occurs when a misformed URL is sent to Sahana with a null character in the string. Example: http://sahana/index.php?stream=text&mod=/../../../../../../../../../../../etc/passwd%00 This allows an attacker to essentially access any file on the web server. A patch has been committed to the trunk to check for null characters in the filename and remove them before opening the file. To patch a Sahana site already in place, add the following line: fixes the security vulnerability associated with null characters in the $module string

$module = str_replace("\0", "", $module);

Right before this line:

// identify the correct module file based on action and module
$module_file = $APPROOT.'mod/'.$module.'/main.inc';

This issue can also be followed here with direct links to patches : https://sourceforge.net/tracker/index.php?func=detail&aid=2908356&group_id=127855&atid=709778