lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040501005636.5312.qmail@gulo.org>
Date: Sat, 01 May 2004 02:56:36 +0200
From: "Manuel Lopez" <mantra@...o.org>
To: bugtraq@...urityfocus.com
Subject: Props 0.6.1 XSS and Remote File Viewing Vulnerability


#Title: Props 0.6.1 XSS and Remote File Viewing Vulnerability. 

#Software: Props 0.6.1
#Vendor: http://props.sourceforge.net/
#Platform: PHP4 and MySQL 


#Description: 

PROPS is an open, extensible Internet publishing system designed 
specifically for periodicals 

such as newspapers and magazines who want to publish online, either 
exclusively or as an 

extension of their print publication. 

 


#Vulnerabilities: 

A flaw in lib/glossary.php discloses files on the system to Remote Users.
The function do_search() let Remote Users conduct Cross-Site scripting 
attacks. 

 


#Remote File Viewing# 

A remote user can request a crafted URL to view files on the system.
The problem is in the function glossary_init() in lib/glossary.php. 

 


#Example: 

/?module=../config&format=php 

This url shows you the php source of config.php (depending on the structure 
of directories, it is only an example) 

 


·.This is the vulnerable code: 

function glossary_init() { 

   global $GLOSSARY, $MIME_TYPES, $HTTP_SERVER_VARS; 

   $GLOSSARY = array();
	
   if (get_form_field("module") != "")
       glossary_set("module", get_form_field("module"));
   else
       glossary_set("module", "displaysection"); 

   if (get_form_field("section_id"))
       glossary_set("section_id", intval(get_form_field("section_id")));
   else
       glossary_set("section_id", FRONTPAGE_SECTION_ID); 

   if (get_form_field("format") != "")
       glossary_set("format", get_form_field("format"));
   else
       glossary_set("format", "html");

   if (get_form_field("alternate_template_suffix") != "")
       glossary_set("alternate_template_suffix", 		 

       get_form_field("alternate_template_suffix"));

   if (get_form_field("edition_id") != "")
       glossary_set("edition_id", intval(get_form_field("edition_id")));
   else
       glossary_set("edition_id", current_edition()); 

   glossary_set("mime_type", $MIME_TYPES[glossary_get("format")]); 

   glossary_set("request_uri", $HTTP_SERVER_VARS["REQUEST_URI"]);
} 


The function does not sanitize the $module and $format variables. A possible 
solution can be to filter these variables against directory transversal and 
format attack. 

 


#Cross-Site Scripting# 

archives/lib/do_search.php 

The function do_search() does not sanitize properly. An XSS attack is 
possible in $search_string. 

 


#Example: 

/?module=archives&op=search&search_string="><script>alert()</script> 

 

·.Vulnerable code: 

   $search_string = get_form_field("search_string");
   $search_string = ereg_replace("[;]", "", $search_string);
   $search_string = addslashes($search_string);
   glossary_set("search_string", $search_string); 

 


#SOLUTIONS: 

CVS has been updated and version 0.6.2 of props has been released. It also 
contains some other small bug fixes. 

For those that want to patch by hand, you need to make a total of 3 changes
to two files: 


1. In props/lib/glossary.php change line 36 to: 

glossary_set("module", ereg_replace("[^_a-zA-Z0-9]", "",
get_form_field("module"))); 


2. In props/lib/glossary.php replace lines 47-52 with: 

   // Default format is HTML
   if (get_form_field("format") != "") { 

       // Make sure this output format is defined in config.php
       if (array_key_exists(get_form_field("format"), $MIME_TYPES))
           glossary_set("format", get_form_field("format"));
       else
           die ("Invalid format"); 

   } else
       glossary_set("format", "html"); 


3. In props/modules/archives/do_search.php change line 27 to: 

   $search_string = ereg_replace("[^_a-zA-Z0-9.,]", "", $search_string); 


Version 0.6.2 of props available on the sourceforge.net website has these
changes and you can upgrade via your normal methods if you don't want to
patch by hand. 

http://sourceforge.net/project/showfiles.php?group_id=29581 

Thanks to Blake Girardot the vulnerabilities are now fixed. 


#Credits: 

Manuel Lopez, mantra@...o.org 



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ