Author: Magistrat

Date: 30/03/2003

Object: XOOPS glossary Module Input Filtering Bug Allows Remote Users to

Conduct Cross-Site Scripting Attacks

Impact: Disclosure of authentication information, Execution of arbitrary

code via network, Modification of user information, User access via network

Fix: yes

--------------------------------------------------

After the module quizz and private message of xoops, i have found an

another risk in glossary whit some test on Web sites using xoops versions

1.3.8 to 1.3.9 ( Glossary on V2.0 is not holed )

Description of glossary module :

This is just the module on xoops who permit to make dictionnary with

search engine.

--------------------------------------------------

The vulnerability :

A remote user can conduct cross-site scripting attacks against this module

and send a message like this :

<url=http://www.blocus-zone.com/modules/glossaire/glossaire-aff.php?

lettre=<IMG%20SRC="http://www.blocus-

zone.com/modules/news/images/topics/smblocus.gif">]click here for

register</url>

We obtain:

http://www.blocus-zone.com/modules/news/images/topics/bugblocus.jpg

( Note that the code that we have presented here is not dangerous, however

there is some codes

much more malicious to steal the admin c o o k i e )

--------------------------------------------------

History:

the team of xoops dévellopement as her community was prevented on

11/24/2003. Patch are not available by xoops developer. Moreover, the

author of the glossary module for 1.3.x versions, work now for an another

content management system.

Solution:

in glossaire-aff.php, add this script :

-----------------------------------------------

foreach ($_REQUEST as $key=>$value) {

$value=htmlspecialchars($value,ENT_QUOTES);

${$key} = $value;

$_GET[$key] = $value;

$HTTP_GET_VARS[$key] = $value;

}

-----------------------------------------------

thanks:

to frogman from phpsecure.org >

http://www.phpsecure.org

(sorry for my poor english )

Regards

Magistrat

[ reply ]