lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040522225120.8356.qmail@www.securityfocus.com>
Date: 22 May 2004 22:51:20 -0000
From: Chris Norton <kicktd@...security.us>
To: bugtraq@...urityfocus.com
Subject: e107 web portal user.php XSS (Cross Site Scripting)




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

-------------------------------------------------
R.A.M Security Advisory
-------------------------------------------------
http://www.ramsecurity.us
-------------------------------------------------
Severity: Medium
Title: e107 web portal user.php xss
Date: May 21, 2004
-------------------------------------------------

  Synopsis:

 All versions of e107 have a vulnerability that
allows javascript or html content in user.php.


  Description:

 All versions of e107 have a vulnerability that
allows xss or html tags and content to be posted to the
Website URL for a member.

 The Problem lies within the usersettings.php
which does not parse < > ( ) tags thus allowing any
user to insert a javascript or html. The problem is
in user.php where the information is displayed. When someone updates their url, AIM or MSN field with malicious content it is displayed without being correctly parsed. Here is an example of how the input might be crafted: 

URL field:
http://www.mysiteurl.com/&lt;script&gt;alert(document.cookie)&lt;/script&gt;

AIM/MSN field: &lt;script&gt;alert(document.cookie)&lt;/script&gt;

Now whenever a user visits that members profile they
will get a javascript popup with their cookie
information while the link will just show:

http://www.mysiteurl.com/

and when the link is clicked on it will take the user
to mysiteurl.com.

  Impact:

 This may lead to cookie information being
stolen or other such xss attacks.
 
  Solution:

edit user.php from lines 233 to 261 to read. Remove spaces in the replace string so that & lt ; etc will form one word:

</td></tr> ";
$source = $user_aim;
//check for bad input and convert it to ISO-8859-1
$bad =  array("<",">","(",")");
$replace = array("& lt ;","& gt ;","& #40 ;","& #41 ;");
 $user_aim = str_replace($bad, $replace, $source);
foreach($user_aim as $aim) {
$user_aim = $aim;
}
$str .= "
                <td style='width:80%'class='forumheader3'>
                        <table style='width:100%'><tr><td style='width:30%'> <img src='".e_IMAGE."generic/aim.png' alt=''  style='vertical-align:middle' /> ".LAN_116."</td><td style='width:70%; text-align:right'>".($user_aim ? $user_aim : "<i>".LAN_401."</i>")."</td></tr></table>
                </td></tr>

                <td style='width:80%'class='forumheader3'> ";
$source = $user_msn;
$user_msn = str_replace($bad, $replace, $source);
foreach($user_msn as $msn) {
$user_msn = $msn;
}
$str .= "
                <table style='width:100%'><tr><td style='width:30%'> <img src='".e_IMAGE."generic/msn.png' alt=''  style='vertical-align:middle' /> ".LAN_117."</td><td style='width:70%; text-align:right'>".($user_msn ? $user_msn : "<i>".LAN_401."</i>")."</td></tr></table>
                </td></tr> ";
$source = $user_homepage;
$user_homepage = str_replace($bad, $replace, $source);
foreach($user_homepage as $homepage) {
$user_homepage = $homepage;
}
$str .= "

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBQK8GK9X3ZZExQKX/EQLyOACg5TX3vqGnXlJpv6sWjkmPTkldG3EAn244
2fdinygjzW7EPp6Fve50QiKe
=MNjB
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ