Ovidentia 7.9.4 Multiple Remote Vulnerabilities
Title: Ovidentia 7.9.4 Multiple Remote Vulnerabilities
Advisory ID: ZSL-2013-5154
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data, Cross-Site Scripting
Risk: (3/5)
Release Date: 22.08.2013
Apache 2.4.2 (Win32)
PHP 5.4.7
MySQL 5.5.25a
[2] http://secunia.com/advisories/54587/
[3] http://cxsecurity.com/issue/WLB-2013080177
[4] http://www.securityfocus.com/bid/61936
[5] http://www.exploit-db.com/exploits/27771/
[6] http://www.osvdb.org/show/osvdb/96516
[7] http://1337day.com/1337day-2013-21147
[8] http://forums.cnet.com/7726-6132_102-5489845.html
[9] http://www.securelist.com/en/advisories/54587
[10] http://securitytracker.com/id/1028943
[11] http://www.eeye.com/resources/security-center/research/zero-day-tracker/2013/20130822
[12] http://xforce.iss.net/xforce/xfdb/86603
[13] http://xforce.iss.net/xforce/xfdb/86605
[14] http://xforce.iss.net/xforce/xfdb/86606
[23.08.2013] - Added reference [6]
[24.08.2013] - Added reference [7], [8] and [9]
[26.08.2013] - Added reference [10]
[07.09.2013] - Added reference [11]
[14.10.2013] - Added reference [12], [13] and [14]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2013-5154
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data, Cross-Site Scripting
Risk: (3/5)
Release Date: 22.08.2013
Summary
Ovidentia is both a content management system (CMS) and a collaborative environment (Groupware).Description
Input passed via several parameters is not properly sanitized before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and HTML/script code in a user's browser session in context of an affected site.Vendor
Cantico - http://www.ovidentia.orgAffected Version
7.9.4Tested On
Microsoft Windows 7 Ultimate SP1 (EN)Apache 2.4.2 (Win32)
PHP 5.4.7
MySQL 5.5.25a
Vendor Status
N/APoC
ovidentia_multiple.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://packetstormsecurity.com/files/122896[2] http://secunia.com/advisories/54587/
[3] http://cxsecurity.com/issue/WLB-2013080177
[4] http://www.securityfocus.com/bid/61936
[5] http://www.exploit-db.com/exploits/27771/
[6] http://www.osvdb.org/show/osvdb/96516
[7] http://1337day.com/1337day-2013-21147
[8] http://forums.cnet.com/7726-6132_102-5489845.html
[9] http://www.securelist.com/en/advisories/54587
[10] http://securitytracker.com/id/1028943
[11] http://www.eeye.com/resources/security-center/research/zero-day-tracker/2013/20130822
[12] http://xforce.iss.net/xforce/xfdb/86603
[13] http://xforce.iss.net/xforce/xfdb/86605
[14] http://xforce.iss.net/xforce/xfdb/86606
Changelog
[22.08.2013] - Initial release[23.08.2013] - Added reference [6]
[24.08.2013] - Added reference [7], [8] and [9]
[26.08.2013] - Added reference [10]
[07.09.2013] - Added reference [11]
[14.10.2013] - Added reference [12], [13] and [14]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
