Multiple Vulnerabilities in Habari

High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in Habari which could be exploited to perform cross-site scripting attacks and gain potentially sensitive information.

1. Information disclosure weakness in Habari: CVE-2010-4608
   The weakness was found in the “/system/admin/header.php” and “/system/admin/comments_items.php” scripts. A remote attacker can obtain knowledge of the application`s installation path by directly accessing the system/admin/header.php and system/admin/comments_items.php scripts.
   Exploitation example:
   http://[host]/system/admin/header.php
   http://[host]/system/admin/comments_i tems.php

2. Cross-site scripting (XSS) vulnerabilities in Habari: CVE-2010-4607
   2.1 The vulnerability exists due to input sanitation error in the “additem_form” parameter in system/admin/dash_additem.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in users browser in context of the vulnerable website. Successful exploitation requires that victim is logged-in into the application and has access to administrative interface and that register_globals is on. Exploitation example: http://[host]/system/admin/dash_additem.php?additem_form=<script>alert('XSS' );</script> 2.2 The vulnerability exists due to input sanitation error in the "status_data" parameter in system/admin/dash_status.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in users browser in context of the vulnerable website. Successful exploitation requires that victim is logged-in into the application and has access to administrative interface and that register_globals is on.
   Exploitation example:
   http://habari/system/admin/dash_status.php?status_data[1]=&lt;script&gt;alert('XSS ');</script>