[OPENADS-SA-2007-002] Max Media Manager v0.1.29 and v0.3.30 vulnerability fixed

To: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx, phpsec@xxxxxxxxxxx
Subject: [OPENADS-SA-2007-002] Max Media Manager v0.1.29 and v0.3.30 vulnerability fixed
From: Matteo Beccati <php@xxxxxxxxxxx>
Date: Fri, 26 Jan 2007 09:17:25 +0100
Cc: Jennifer Langdon <jennifer.langdon@xxxxxx>, Oliver George <oliver.george@xxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mozilla Thunderbird 1.5.0.9 (Windows/20061207)

========================================================================
Openads security advisory                            OPENADS-SA-2007-002
------------------------------------------------------------------------
Advisory ID:           OPENADS-SA-2007-002
Date:                  2007-Jan-25
Security risk:         low risk
Applications affetced: Max Media Manager
Versions affected:     <= Max Media Manager v0.1.29-rc and v0.3.30-alpha
Versions not affected: >= Max Media Manager v0.3.31-alpha-pr2
========================================================================


========================================================================
Vulnerability:  Cross-site scripting
========================================================================

Description
-----------
This is the description of the vulnerability recieved by JPCERT:

"We have confirmed that in admin-search.php, scripts included in
'keyword' parameter is shown without proper sanitization thus the
script could be executed.

However a user needs to login the system as administrator, which makes
the exploit technically difficult.

If this vulnerability is exploited, by script execution, a user's
session ID included in HTTP Cookie might be stolen. Also there's a risk
that the contents of phpAdsNew are falsified temporarily."

Note: Max Media Manager is derived from phpAdsNew and was affected by
the same vulnerability. MMM v0.3.30-alpha also has affiliate-search.php
which was vulnerable as well.


References
----------
- JVN#07274813: http://jvn.jp/jp/JVN%2307274813/index.html


Solution
--------
- If you are running v0.3.x, upgrade to v0.3.30-alpha-pr2
- If you are running v0.1.x, a patch is available here:

https://developer.openads.org/changeset/3919?format=zip&new=3919


Contact informations
====================

The security contact for Openads can be reached at:
<security AT openads DOT org>


Best regards
--
Matteo Beccati
http://www.openads.org
http://phpadsnew.com
http://phppgads.com

Follow-Ups:
- Re: [OPENADS-SA-2007-002] Max Media Manager v0.1.29 and v0.3.30 vulnerability fixed
  - From: Matteo Beccati

Prev by Date: [ GLSA 200701-24 ] VLC media player: Format string vulnerability
Next by Date: Movable Type <= 3.33 XSS Exploit
Previous by thread: [ GLSA 200701-24 ] VLC media player: Format string vulnerability
Next by thread: Re: [OPENADS-SA-2007-002] Max Media Manager v0.1.29 and v0.3.30 vulnerability fixed
Index(es):
- Date
- Thread