by r0t,der4444,cembo,VietMafia

Tuesday, June 06, 2006

OBM Multiple SQL inj. and XSS vuln.

###############################################
Vuln. discovered by : r0t
Date: 6 june 2006
vendor:http://obm.aliacom.fr/
affected versions:
tested on 1.0.3pl1 version.
other versions also can be affected.
###############################################


Vuln. Description:


1. Multiple SQL injection vuln.

OBM contains a flaw that allows a remote sql injection attacks.Input passed to the "new_order" and "order_dir" parameter in
"group/group_index.php","user/user_index.php",
"list/list_index.php","company/company_index.php" isn't properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.



2.Multiple Cross-Site Scripting attack vuln.

OBM contains a flaw that allows a remote Cross-Site Scripting attacks.Input passed to the "tf_lang","tf_name","tf_user","tf_lastname",
"tf_contact","tf_datebefore","tf_dateafter" parameter in certain files isn't properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.


Some examples:

http://obm-host/publication/publication_index.php?
tf_title=&sel_type=_ALL_&tf_year=&tf_lang=[XSS]

http://obm-host/group/group_index.php?action=sear
ch&tf_name=[XSS]

http://obm-host/group/group_index.php?action=sear
ch&tf_name=&tf_user=[XSS]

http://obm-host/user/user_index.php?action=search
&tf_login=&tf_lastname=[XSS]

http://obm-host/list/list_index.php?action=search
&tf_name=[XSS]

http://obm-host/list/list_index.php?action=search
&tf_name=&tf_contact=[XSS]


http://obm-host/group/group_index.php?action=sear
ch&tf_name=&tf_user=&page=&new_order=[SQL]

http://obm-host/group/group_index.php?action=sear
ch&tf_name=&tf_user=&page=&new_order=group_email
&order_dir=[SQL]

http://obm-host/?action=search&tf_login=&tf_last
name=&sel_perms=&tf_email=&tf_desc=&tf_group=&cb
_archive=&page=&new_order=[SQL]

http://obm-host/user/user_index.php?action=searc
h&tf_login=&tf_lastname=&sel_perms=&tf_email=&tf
_desc=&tf_group=&cb_archive=&page=&new_order=use
robm_lastname&order_dir=[SQL]

http://obm-host/list/list_index.php?action=sear
ch&tf_name=&tf_contact=&sel_market=&page=&new_o
rder=list_subject&order_dir=[SQL]

http://obm-host/list/list_index.php?action=searc
h&tf_name=&tf_contact=&sel_market=&page=&new_or
der=[SQL]

http://obm-host/company/company_index.php?action
=search&tf_name=&tf_phone=&sel_kind=&sel_cat=&tf
_cat_code=&cb_cat_tree=&sel_act=&sel_naf=&tf_zip
=&cb_archive=&sel_market=&tf_town=&sel_ctry=&sel
_dsrc=&tf_dateafter=&tf_datebefore=[XSS]


http://obm-host/company/company_index.php?action
=search&tf_name=&tf_phone=&sel_kind=&sel_cat=&tf
_cat_code=&cb_cat_tree=&sel_act=&sel_naf=&tf_zip
=&cb_archive=&sel_market=&tf_town=&sel_ctry=&sel
_dsrc=&tf_dateafter=&tf_datebefore=&page=&new_or
der=company_vat&order_dir=DESC&entity=[SQL]

http://obm-host/company/company_index.php?action
=search&tf_name=&tf_phone=&sel_kind=&sel_cat=&tf
_cat_code=&cb_cat_tree=&sel_act=&sel_naf=&tf_zip
=&cb_archive=&sel_market=&tf_town=&sel_ctry=&sel
_dsrc=&tf_dateafter=&tf_datebefore=&page=&new_or
der=company_vat&order_dir=[SQL]

http://obm-host/company/company_index.php?action
=search&tf_name=&tf_phone=&sel_kind=&sel_cat=&tf
_cat_code=&cb_cat_tree=&sel_act=&sel_naf=&tf_zip
=&cb_archive=&sel_market=&tf_town=&sel_ctry=&sel
_dsrc=&tf_dateafter=&tf_datebefore=&page=&new_or
der=[SQL]

http://obm-host/company/company_index.php?action
=search&tf_name=&tf_phone=&sel_kind=&sel_cat=&tf
_cat_code=&cb_cat_tree=&sel_act=&sel_naf=&tf_zip
=&cb_archive=&sel_market=&tf_town=&sel_ctry=&sel
_dsrc=&tf_dateafter=[SQL]

http://obm-host/company/company_index.php?action
=search&tf_name=&tf_phone=&sel_kind=&sel_cat=&tf
_cat_code=&cb_cat_tree=&sel_act=&sel_naf=&tf_zip
=&cb_archive=&sel_market=&tf_town=&sel_ctry=&sel
_dsrc=&tf_dateafter=[XSS]


###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

1 Comments:

Anonymous Mehdi Rande told...

Hi,
Thanks for reporting, we're now aware of those vulnerabilities and will work on a patch to fix this.
Thanks again.
Mehdi Rande
mehdi_dot_rande_at_aliacom_dot_fr
Aliacom

2:42 PM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew