____________________ ___ ___ ________ \_ _____/\_ ___ \ / | \\_____ \ | __)_ / \ \// ~ \/ | \ | \\ \___\ Y / | \ /_______ / \______ /\___|_ /\_______ / \/ \/ \/ \/ .OR.ID ECHO_ADV_15$2005 --------------------------------------------------------------------------- [ECHO_ADV_15$2005] Full path disclosure and XSS in Cerberus Helpdesk --------------------------------------------------------------------------- Author: Dedi Dwianto Date: June, 07th 2005 Location: Indonesia, Jakarta Web: http://echo.or.id/adv/adv15-theday-2005.txt --------------------------------------------------------------------------- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Application : Cerberus Helpdesk version: >0.97.3 url : http://www.cerberusweb.com Author: WebGroup Media, LLC Description: Cerberus Helpdesk is script write in php for manage customer support create by WebGroup Media.Cerberus Helpdesk, handles mission critical e-mail management for over 4,000 companies worldwide -- from one-person startups to Fortune 500 giants. But I Found Vulnarable XSS and FUll Path disclosure for that. --------------------------------------------------------------------------- Vulnerabilities: ~~~~~~~~~~~~~~~~ A. Full path disclosure * http://localhost/cerberus/reports.php?report=1[char]&sid=[session id] ex : http://localhost/cerberus/reports.php?report=1dudul&sid=f1944ec07bcbab62f52bbd5b00334e75 Error : Cerberus [Errno: 2]: build_report(/var/www/html/cerberus/includes/reports/): failed to open stream: Success in /var/www/html/cerberus/cerberus-api/reports/cer_Report.class.php at line 197. * http://localhost/cerberus/knowledgebase.php?root=1&sid=[session id] ex : http://localhost/cerberus/knowledgebase.php?root=1&sid=f215cf14a3c0df908cf8bdf8a99c2a84 Error : Fatal error: Allowed memory size of 33554432 bytes exhausted at (null):0 (tried to allocate 12 bytes) in /var/www/html/cerberus/includes/s/functions/error_trapping.php on line 26 * http://localhost/cerberus/configuration.php?module=kbase_comments&sid=[session id] ex : http://localhost/cerberus/configuration.php?module=kbase_comments&sid=f215cf14a3c0df908cf8bdf8a99c2a84 Error : Fatal error: Allowed memory size of 34603016 bytes exhausted at (null):0 (tried to allocate 110 bytes) in /var/www/html/cerberus/cerberus-api/knowledgebase/cer_KnowledgebaseTree.class.php on line 183 B. Cross Site Scripting / XsS * http://localhost/cerberus/index.php?errorcode=[Xss]&errorvalue=4&sid=[session id] * http://localhost/cerberus/clients.php?mode=c_view&id=[id]&sid=[id] User can input html tag into field and can execute C. Solution Vendor Response : http://forum.cerberusweb.com/showthread.php?threadid=5162&goto=newpost --------------------------------------------------------------------------- Shoutz: ~~~~~~~ ~ y3dips, moby, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32, anonymous ~ Lieur Euy , MSR ~ newbie_hacker@yahoogroups.com , ~ #e-c-h-o@DALNET --------------------------------------------------------------------------- Contact: ~~~~~~~~ the_day || echo|staff || the_day[at]echo[dot]or[dot]id Homepage: http://theday.echo.or.id/ -------------------------------- [ EOF ] ----------------------------------