Ourvideo CMS Multiple Input Validation Vulnerabilities
BID:29909
Info
Ourvideo CMS Multiple Input Validation Vulnerabilities
| Bugtraq ID: | 29909 |
| Class: | Input Validation Error |
| CVE: |
CVE-2008-2978 CVE-2008-2977 |
| Remote: | Yes |
| Local: | No |
| Published: | Jun 23 2008 12:00AM |
| Updated: | Jul 06 2016 02:17PM |
| Credit: | CraCkEr |
| Vulnerable: |
Ourvideo CMS Ourvideo CMS 9.5 |
| Not Vulnerable: | |
Discussion
Ourvideo CMS Multiple Input Validation Vulnerabilities
Ourvideo CMS is prone to multiple input-validation vulnerabilities because it fails to adequately sanitize user-supplied input. These vulnerabilities include two remote file-include issues, a local file-include issue, and two cross-site scripting issues.
Attackers can exploit the remote file-include issues to execute arbitrary script code in the context of the webserver process. They can exploit the local file-include issue to execute arbitrary local scripts in the context of the webserver and access sensitive information. They can leverage the cross-site scripting issues to steal cookie-based authentication credentials. Other attacks are possible; information harvested can aid in further attacks.
Ourvideo CMS 9.5 is vulnerable; other versions may also be affected.
Ourvideo CMS is prone to multiple input-validation vulnerabilities because it fails to adequately sanitize user-supplied input. These vulnerabilities include two remote file-include issues, a local file-include issue, and two cross-site scripting issues.
Attackers can exploit the remote file-include issues to execute arbitrary script code in the context of the webserver process. They can exploit the local file-include issue to execute arbitrary local scripts in the context of the webserver and access sensitive information. They can leverage the cross-site scripting issues to steal cookie-based authentication credentials. Other attacks are possible; information harvested can aid in further attacks.
Ourvideo CMS 9.5 is vulnerable; other versions may also be affected.
Exploit / POC
Ourvideo CMS Multiple Input Validation Vulnerabilities
Attackers can exploit these issues using a browser. To exploit a cross-site scripting issue, an attacker must entice an unsuspecting user to follow a specially crafted URI.
The following example URIs are avaialble:
http://www.example.com/path/phpi/edit_top_feature.php?include_connection=[SHELL]
http://www.example.com/path/phpi/edit_topics_feature.php?include_connection=[SHELL]
http://www.example.com/path/phpi/rss.php?prefix=[LFI]
http://www.example.com/path/phpi/login.php?top_page=[XSS]
http://www.example.com/path/phpi/login.php?end_page=[XSS]
Attackers can exploit these issues using a browser. To exploit a cross-site scripting issue, an attacker must entice an unsuspecting user to follow a specially crafted URI.
The following example URIs are avaialble:
http://www.example.com/path/phpi/edit_top_feature.php?include_connection=[SHELL]
http://www.example.com/path/phpi/edit_topics_feature.php?include_connection=[SHELL]
http://www.example.com/path/phpi/rss.php?prefix=[LFI]
http://www.example.com/path/phpi/login.php?top_page=[XSS]
http://www.example.com/path/phpi/login.php?end_page=[XSS]
Solution / Fix
Ourvideo CMS Multiple Input Validation Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
References
Ourvideo CMS Multiple Input Validation Vulnerabilities
References:
References:
- Ourvideo CMS Homepage (Ourvideo CMS)