You are here: start » security

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
security [2009/12/08 14:41]
greg 		security [2010/04/07 18:12] (current)
Line 1: Line 1:
 ===Security Vulnerabilities=== ===Security Vulnerabilities===
  
-==2009:1029->> MPR Module Exploits==+==2010:0317 >> disabling Sahana security ACL via stream module == 
 + 
 +Ability to completely disable authentication via stream.php and commented 
 +out module authentication code within it. 
 + 
 +http://sahana/index.php?mod=admin&act=acl_enable_acl Authenticates correctly. \\ 
 +http://sahana/stream.php?mod=admin&act=acl_enable_acl Does not. 
 + 
 +The patch for this vulnerability disallow the streaming module from disabling the Sahana ACL. 
 + 
 +Code Commits:\\ 
 +trunk >> http://bazaar.launchpad.net/~sahana-php/s3/php-cvs-trunk/revision/4531 \\ 
 +rel_0_6 >> http://bazaar.launchpad.net/~sahana-php/s3/php-cvs-stable/revision/3798 \\ 
 +\\ 
 +\\ 
 +\\ 
 +\\ 
 +\\ 
 +==2009:1210 >> mod variable exploits in lib_locale ==
  
 Cross site scripting can be achieved by modifying the URL in Sahana to inject foreign code into the page: Cross site scripting can be achieved by modifying the URL in Sahana to inject foreign code into the page:
-http://sahana/index.php?mod=mpr&act=search&type=all>%22%27><img%20src%3d%22http://www.google.com/intl/en_ALL/images/logo.gif%22>+  http://sahana/index.php?mod=mpr>%22%27><img%20src%3d%22javascript:alert(23270)%22>&act=lc_set 
  
 Phishing can be done through an IFrame also via URL modifications: Phishing can be done through an IFrame also via URL modifications:
-http://sahana/index.php?mod=mpr&act=search&type=all'"><iframe%20src=http://demo.testfire.net>+  http://sahana/index.php?mod=mpr'"><iframe%20src=http://google.com>&act=lc_set
  
 Link Injection can also be achieved: Link Injection can also be achieved:
-http://sahana/index.php?mod=mpr&act=search&type="'><IMG%20SRC="/WF_XSRF.html">+  http://sahana/index.php?mod="'><IMG%20SRC="http://www.google.com/logos/newton10-tree.jpg">&act=lc_set 
  
 +The patch to this vulnerability cleanses the mod variable in lib_locale by making sure it meets the regular expression for a module's folder structure as noted here: http://wiki.sahana.lk/doku.php/dev:php_coding_convention#choosing_a_name_for_a_module_in_sahana_module
  
 Code commits:\\ Code commits:\\
-rel_0_6 >> \\ +rel_0_6 >> http://sahana.cvs.sourceforge.net/viewvc/sahana/sahana-phase2/inc/lib_locale/lib_locale.inc?r1=1.23.2.4&r2=1.23.2.5 \\ 
-trunk >> \\+trunk >> http://sahana.cvs.sourceforge.net/viewvc/sahana/sahana-phase2/inc/lib_locale/lib_locale.inc?r1=1.29&r2=1.30 \\ 
 +\\ 
 +\\ 
 +\\ 
 +\\ 
 +\\ 
 +==2009:1029-2 >> MPR Module Exploits==
  
 +Cross site scripting can be achieved by modifying the URL in Sahana to inject foreign code into the page:
 +  http://sahana/index.php?mod=mpr&act=search&type=all>%22%27><img%20src%3d%22http://www.google.com/intl/en_ALL/images/logo.gif%22>
  
 +Phishing can be done through an IFrame also via URL modifications:
 +  http://sahana/index.php?mod=mpr&act=search&type=all'"><iframe%20src=http://demo.testfire.net>
  
 +Link Injection can also be achieved:
 +  http://sahana/index.php?mod=mpr&act=search&type="'><IMG%20SRC="/WF_XSRF.html">
 +
 +All three of the above attacks can be eliminated by purifying the $_GET['type'] parameter from the URL before doing anything with it. The patch involves adding an additional function to search.inc in /mod/mpr and then calling this function to clean the variable before its use. 
 +
 +Code commits:\\
 +rel_0_6 >> http://sahana.cvs.sourceforge.net/viewvc/sahana/sahana-phase2/mod/mpr/search.inc?revision=1.17.24.8&view=markup \\
 +trunk >> http://sahana.cvs.sourceforge.net/viewvc/sahana/sahana-phase2/mod/mpr/search.inc?revision=1.31&view=markup \\
 +\\
 +\\
 +\\
 +\\
 +\\
 ==2009:1029-1 >> Session Fixation Exploit== ==2009:1029-1 >> Session Fixation Exploit==
  
Line 33: Line 75:
 rel_0_6 >> http://sahana.cvs.sourceforge.net/viewvc/sahana/sahana-phase2/inc/lib_session/handler_session.inc?revision=1.12.4.1&view=markup\\ rel_0_6 >> http://sahana.cvs.sourceforge.net/viewvc/sahana/sahana-phase2/inc/lib_session/handler_session.inc?revision=1.12.4.1&view=markup\\
 trunk >> http://sahana.cvs.sourceforge.net/viewvc/sahana/sahana-phase2/inc/lib_session/handler_session.inc?revision=1.16&view=markup\\ trunk >> http://sahana.cvs.sourceforge.net/viewvc/sahana/sahana-phase2/inc/lib_session/handler_session.inc?revision=1.16&view=markup\\
- +\\ 
 +\\ 
 +\\ 
 +\\ 
 +\\
 ==2009:1019 >> Null character URL Exploit== ==2009:1019 >> Null character URL Exploit==
  
Line 53: Line 98:
  $module_file = $APPROOT.'mod/'.$module.'/main.inc';  $module_file = $APPROOT.'mod/'.$module.'/main.inc';
  
-This issue can also be followed here with direct links to patches : https://sourceforge.net/tracker/index.php?func=detail&aid=2908356&group_id=127855&atid=709778+This issue can also be followed here : https://sourceforge.net/tracker/index.php?func=detail&aid=2908356&group_id=127855&atid=709778
  
 +Code commits:\\
 +rel_0_6 >> http://sahana.cvs.sourceforge.net/viewvc/sahana/sahana-phase2/www/index.php?revision=1.65.2.3&view=markup \\
 +trunk >> http://sahana.cvs.sourceforge.net/viewvc/sahana/sahana-phase2/www/index.php?revision=1.84&view=markup \\
  
  

Trace:

Navigation
QR Code
QR Code security (generated for current page)