by r0t,der4444,cembo,VietMafia

Saturday, December 17, 2005

bitweaver multiple vuln.

bitweaver multiple vuln.

Vuln. discovered by : r0t
Date: 17 dec. 2005
vendor:bitweaver.org
affected version: 1.1 and 1.1.1 beta and prior

Product Description:

bitweaver is a rename of the TikiPro software, and is a web based open-source Web Application Framework software application that offers a wide range of features such as wiki, articles, phpBB bulletin board, newsletter, blogs, image photo gallery, file sharing, link directory, poll/survey, quiz, FAQ, banners, webmail, calendar, category. It is written in PHP and supports MySQL, PostgreSQL, Oracle, Sybase, and FireBird on Windows & Linux.

Vuln. Description:

1. SQL inj,

bitweaver contains a flaw that allows a remote sql injection attacks.Input passed to the "sort_mode" "post_id" "blog_id" parameter isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

some examples:

/fisheye/list_galleries.php?sort_mode=[SQL]
/blogs/view_post.php?post_id=[SQL]
/blogs/view.php?blog_id=[SQL]
/messages/message_box.php?sort_mode=[SQL]
/users/my.php?sort_mode=[SQL]

2. XSS

contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "sort_mode" "post_id" "blog_id" and search field in "/users/my_groups.php" paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples:

examples no needed, use first examples only change input.

3. Full path
With errors from previous vuln. attacker can get full install path and other senstive information.




Solution:
Edit the source code to ensure that input is properly sanitised.

2 Comments:

Anonymous Anonymous told...

bitweaver has released version 1.2 to fix this. details:

http://www.bitweaver.org/forums/viewtopic.php?t=1299

Brian
OSVDB.org

10:36 AM

 
Anonymous Lester Caine told...

And of cause it is always curtious to advise the project of an identified security problem PRIOR to making the expoit public ;)

12:18 PM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew