lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <GLEMJPMBLEBOMFFNPPLFEEENCFAA.petef@sec-tec.co.uk>
Date: Fri, 25 Jul 2003 10:11:12 +0100
From: "Pete Foster" <petef@...-tec.co.uk>
To: <bugtraq@...urityfocus.com>
Subject: XSS in e107 website system



Sec-Tec Advisory - Multiple XSS in e107

The most up to date version of this advisory can always be found at:
www.sec-tec.co.uk/vulnerability/e107xss.html

Advisory creation date:	14th July 2003
Product:		e107 blog/portal system
Tested version:		0.554
Vulnerability:		Multiple XSS
Discoverd by:		Pete Foster - Sec-Tec Ltd (www.sec-tec.co.uk)

Product:
e107 is what is commonly known as a CMS, or content management system. It
gives you a completely interactive website without the need to learn HTML,
PHP etc.

Description:
During a penetration test of a clients network, XSS issues were found with
the e107 application.  The application uses custom tags that allow users to
format text without using html.  A flaw in the sanitization of these tags
allows a user to insert code into the generated html.  This vulnerability
could be used to steal cookie data.  The vulnerability can be exploited by
non authenticated uses due to the "Chatbox" feature of the site.  The
Chatbox allows users to post messages anonymously, these messages appearing
in the main templete of all pages.

Affected object:
The file that is responsible for processing the custom tags is class2.php,
the function being tp($text, $mode="off").

Exploit:
On pages where the custom tags can be entered (Chatbox, forum posts) the
following tags can be manipulated.
[img][/img] - [img]/imgsrc.png' onmouseover='alert("Vulnerable");[/img]
[link][/link] - [link]/link.htm" onmouseover="alert('Vulnerable');[/link]
[email][/email] - [email]/foo@....com"
onmouseover="alert('Vulnerable');[/email]
[url][/url] - [url]/url.htm" onmouseover="alert('Vulnerable');[/url]

Fix:
Add a filter to the search/replace array in class2.php (function tp) that
removes script code.  (ie onMouseOver, onClick etc)

Release timeline:
Vulnerability discovered:	June 13th 2003
Vendor notified:		June 20th 2003
Vendor response:		No response
Public release:			24th July 2003

If using this document, please link to:
http://www.sec-tec.co.uk/vulnerability/e107xss.html




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ