J-Security Center

Latest Attack Object Updates
  • IDP Daily Update #1545
    posted: 11/19/09
  • NSM Daily Update #1545
    posted: 11/19/09
  • Deep Inspection 5.3r5 and above, 5.4, 6.0 #1545
    posted: 11/19/09
  • Deep Inspection 5.1 and 5.2 #1435
    posted: 11/19/09
  • Deep Inspection 5.0, 5.3r4 and below #1132
    posted: 03/28/08 (04/01/08 for 5.0)
  • Antivirus
    posted: 11/19/09

Title: Owl Intranet Engine Multiple Cross-Site Scripting and SQL Injection Vulnerabilities

Severity: MODERATE

Description:

Owl Intranet Engine is a Web-based multi-user document repository implemented in PHP.

Owl Intranet Engine is prone to multiple cross-site scripting and SQL injection vulnerabilities. The issues are reported to exist in the 'browse.php' script.

The 'expand' and 'order' URI parameters are affected by cross-site scripting vulnerabilities. This is because input supplied through these parameters is not adequately sanitized before being output into dynamically generated pages.

The 'parent' and 'sortposted' URI parameters are affected by SQL injection vulnerabilities. This is because input supplied through these parameters is not adequately sanitized before being included in SQL queries.

An attacker could exploit the cross-site scripting issues by enticing a victim user into following a malicious link that contains hostile HTML and script code. Embedded HTML and script code would be able to access properties of the hosting Web site. This could be exploited to steal cookie-based authentication credentials.

The SQL injection vulnerabilities could allow the attacker to influence the structure or logic of SQL queries made by the application. This could have various impacts, including compromise of the software, exposure and modification of sensitive information, or a potential for attacks against the database implementation itself.

The attacker may need to provide a valid session ID to exploit these issues.

Affected Products:

  • Owl Owl Intranet Engine 0.6.0
  • Owl Owl Intranet Engine 0.7.0
  • Owl Owl Intranet Engine 0.71.0
  • Owl Owl Intranet Engine 0.72.0
  • Owl Owl Intranet Engine 0.73.0

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.