---------------------------------------------------------------------------- Various Vulnerabilities in OWL Intranet Engine ---------------------------------------------------------------------------- Author: Jose Antonio Coret (Joxean Koret) Date: 2004 Location: Basque Country --------------------------------------------------------------------------- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ OWL 0.7 and 0.8 - Owl is a multi user document repository (knowledgebase) system written in PHP4 for publishing files/documents onto the web for a corporation, small business, group of people, or just for yourself. Web : http://owl.sourceforge.net/ --------------------------------------------------------------------------- Vulnerabilities: ~~~~~~~~~~~~~~~~ A. Cross Site Scripting Vulnerabilities A1. In the script browser various parameters, that are used to write the html code, not are verified. Test URLS : http://<site-with-owl>/intranet/browse.php?sess=<replace-with-a-valid-session-id>&parent=115&expand=1'><script>alert(document.location)</script>&order=creatorid&sortposted=DESC http://<site-with-owl>/intranet/browse.php?sess=<replace-with-a-valid-session-id>&parent=115&expand=1&order=creatorid'><script>alert(document.location)</script>&sortposted=DESC B. SQL Injection Vulnerabilities B1. In the browser.php script the following parameters are vulnerables to an SQL Injection attacks. Test URLS : http://<site-with-owl>/intranet/browse.php?sess=<replace-with-a-valid-session-id>&parent=104[SQL%20INJECTION]&expand=1&order=creatorid&sortposted=DESC http://<site-with-owl>/intranet/browse.php?sess=<replace-with-a-valid-session-id>&parent=104&expand=1&order=creatorid&sortposted=DESC[SQL%20INJECTION] The fix: ~~~~~~~~ All problems are fixed in the CVS. Disclaimer: ~~~~~~~~~~~ The information in this advisory and any of its demonstrations is provided "as is" without any warranty of any kind. I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory. --------------------------------------------------------------------------- Contact: ~~~~~~~~ Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es
Attachment:
signature.asc
Description: This is a digitally signed message part