sobota, 12 maja 2012

Jaow CMS v2.3 - Multiple Web Vulnerabilites

Jaow CMS, jest to CMS o bardzo małych rozmiarach, jest prosty, ma czytelny kod, każdy może łatwo tworzyć szablony i / lub tworzyć moduły do własnych potrzeb. Jaow jest rozwiązaniem głównie na małe strony, blogi lub portfela. Oto lista funkcji dostępnych obecnie:


* Category Manager
* Section Manager (using TinyMCE)
* Manager menu (adding links)
* Manager template (using Vtemplate)
* File Manager (using Elfinder)
* Manager of partners
* User Manager (Administration access)
* Contact Form
* General Configuration via Back-Office
* Manager Comments
* Maintenance Manager Site
* Backing up the database
* Page Manager
* Statistics Tool
* Notation articles
* Share with social networks (twitter, Facebook)
* Customize error 404
* Generating RSS feeds

 

Jest w nim wiele błędów SQL Injection.
W kodzie są też błędy XSS.
 
Dziurawe pliki: 
 
* SQL Injection 
 
               [+] administration/articles.php
               [+] administration/categories.php
               [+] administration/pages.php
               [+] administration/menu.php
               [+] administration/liens.php

*XSS

               [+] modules/Commentaires/mod_commentaires.php
               [+] administration/articles.php
               [+] administration/categories.php
               [+] administration/pages.php
               [+] administration/configuration.php
               [+] administration/utilisateur.php

Fix:
 
W pliku: administration/pages.php
W Lini 49:

 $Id_selection = $_GET['modifier_pages'];

zamieniamy na:

 $Id_selection = (int)$_GET['modifier_pages'];

W pliku: administration/menu.php
W Lini 48:

 $Id_selection = $_GET['modifier_menus'];

zamieniamy na:

 $Id_selection = (int)$_GET['modifier_menus'];

W pliku: administration/liens.php
W Lini 49:

 $Id_selection = $_GET['modifier_liens'];

zamieniamy na:

 $Id_selection = (int)$_GET['modifier_liens'];

W pliku: administration/categories.php
W Lini 50:

 $Id_selection = $_GET['id'];

zamieniamy na:

 $Id_selection = (int)$_GET['id'];

W pliku: administration/articles.php
W Lini 48:

 $Id_selection = $_GET['modifier_articles'];

zamieniamy na:

 $Id_selection = (int)$_GET['modifier_articles'];

W pliku: administration/articles.php
W Lini 137:

 $start_pages = ($courant - 1) * $nb_results_p_page;

zamieniamy na:

 $start_pages = ($courant - 1) * $nb_results_p_page;
                  $start_pages = (int)$start_pages;
                  if($start_pages<0) $start_pages = 0;

W pliku: administration/categories.php
W Lini 115:

 $start_pages = ($courant - 1) * $nb_results_p_page;

zamieniamy na:

 $start_pages = ($courant - 1) * $nb_results_p_page;
            $start_pages = (int)$start_pages;
            if($start_pages<0) $start_pages = 0;

W pliku: administration/liens.php
W Lini 105:

 $start_pages = ($courant - 1) * $nb_results_p_page; 

zamieniamy na:

 $start_pages = ($courant - 1) * $nb_results_p_page; 
            $start_pages = (int)$start_pages;
            if($start_pages<0) $start_pages = 0;

W pliku: administration/menu.php
W Lini 103:

 $start_pages = ($courant - 1) * $nb_results_p_page;

zamieniamy na:

 $start_pages = ($courant - 1) * $nb_results_p_page;
            $start_pages = (int)$start_pages;
            if($start_pages<0) $start_pages = 0;

W pliku: administration/pages.php
W Lini 100:

 $start_pages = ($courant - 1) * $nb_results_p_page;

zamieniamy na:
 $start_pages = ($courant - 1) * $nb_results_p_page;
        $start_pages = (int)$start_pages;
        if($start_pages<0) $start_pages = 0;

W pliku: administration/statistiques.php
W Lini 184:

 $start_pages = ($courant - 1) * $nb_results_p_page;

zamieniamy na:

 $start_pages = ($courant - 1) * $nb_results_p_page;
            $start_pages = (int)$start_pages;
            if($start_pages<0) $start_pages = 0;

W pliku: administration/utilisateur.php
W Lini 66:

 $start_pages = ($courant - 1) * $nb_results_p_page;

zamieniamy na:

 $start_pages = ($courant - 1) * $nb_results_p_page;
            $start_pages = (int)$start_pages;
            if($start_pages<0) $start_pages = 0;

W pliku: archives.php
W Lini 65:

 $start_pages = ($courant - 1) * $nb_results_p_page;

zamieniamy na:

 $start_pages = ($courant - 1) * $nb_results_p_page;
            $start_pages = (int)$start_pages;
            if($start_pages<0) $start_pages = 0;

W pliku: articles.php
W Lini 48:

 $start_pages = ($courant - 1) * $nb_results_p_page; 

zamieniamy na:
 $start_pages = ($courant - 1) * $nb_results_p_page; 
        $start_pages = (int)$start_pages;
        if($start_pages<0) $start_pages = 0;

W pliku: articles_categories.php
W Lini 86:

 $start_pages = ($courant - 1) * $nb_results_p_page;

zamieniamy na:

 $start_pages = ($courant - 1) * $nb_results_p_page;
            $start_pages = (int)$start_pages;
            if($start_pages<0) $start_pages = 0;

W pliku: liens.php
W Lini 68:

                 $start_pages = ($courant - 1) * $nb_results_p_page;

zamieniamy na:

                 
            $start_pages = ($courant - 1) * $nb_results_p_page;
            $start_pages = (int)$start_pages;
            if($start_pages<0) $start_pages = 0;

XSS:

W pliku: modules/Commentaires/mod_commentaires.php
49:

 $Pseudo =  addslashes($_POST['Pseudo']);

zamieniamy na:

 $Pseudo =  htmlentities(addslashes($_POST['Pseudo']));

W pliku: administration/articles.php
W Lini 105:    
 
 $Titre =  addslashes($_POST['titre']);

zamieniamy na:

 $Titre =  htmlentities(addslashes($_POST['titre']));

W Lini 107:

 $Sommaire =  addslashes($_POST['sommaire']);

zamieniamy na:

 $Sommaire =  htmlentities(addslashes($_POST['sommaire']));

W Lini 108:

 $Contenu =  addslashes($_POST['contenu']);

zamieniamy na:

 $Contenu =  htmlentities(addslashes($_POST['contenu']));

W pliku: administration/categories.php
W Lini 85:

 $Titre = addslashes($_POST['titre']);

zamieniamy na:

 $Titre = htmlentities(addslashes($_POST['titre']));

W pliku: administration/pages.php
W Lini 71:    

 $Titre = addslashes($_POST['titre']);

zamieniamy na:

 $Titre = htmlentities(addslashes($_POST['titre']));

W pliku: administration/pages.php
W Lini 72:

 $Contenu =  addslashes($_POST['contenu']);

zamieniamy na:

 $Contenu =  htmlentities(addslashes($_POST['contenu']));

W pliku: administration/configuration.php
W Lini 180:

 $Titre = addslashes($_POST['Titre']);

zamieniamy na:

 $Titre = htmlentities(addslashes($_POST['Titre']));

W Lini 185:

 $Footer = addslashes($_POST['Footer']);

zamieniamy na:

 $Footer = htmlentities(addslashes($_POST['Footer']));

W pliku: administration/utilisateur.php
W Lini 57:

 $Pseudo = stripAccents($_POST['Pseudo']);

zamieniamy na:

 $Pseudo = htmlentities(stripAccents($_POST['Pseudo']));

Brak komentarzy:

Prześlij komentarz