[<prev] [next>] [day] [month] [year] [list]
Message-ID: <43EBFDA5.2030700@gulftech.org>
Date: Thu, 09 Feb 2006 20:42:45 -0600
From: GulfTech Security Research <security@...ftech.org>
To: Secunia Research <vuln@...unia.com>, moderators@...db.org,
bugtraq@...urityfocus.com
Subject: CPAINT AJAX Library Cross Site Scripting
##########################################################
# GulfTech Security Research February 9, 2006
##########################################################
# Vendor : CPAINT
# URL : http://sourceforge.net/projects/cpaint
# Version : CPAINT <= 2.0.2
# Risk : Cross Site Scripting
##########################################################
Description:
CPAINT (Cross-Platform Asynchronous INterface Toolkit) is a
multi-language toolkit that helps web developers design and
implement AJAX web applications with ease and flexibility.
CPAINT does not sanitize all user supplied data properly
which leads to cross site scripting. This makes not only
CPAINT vulnerable, but the applications that use CPAINT as
a third party library are vulnerable as well.
Cross Site Scripting:
There is a cross site scripting issue in CPAINT versions
prior to 2.0.3 that allows for a malicious user to conduct
cross site scripting attacks against the application using
the CPAINT libraries.
http://cpaint/script.php?cpaint_response_type=%3Ciframe%20
src=http://www.gulftech.org/%3E
The above is an example of the Cross Site Scripting issue.
Note that script.php is just symbolic as the name of the
script would obviously be the script making use of the CPAINT
library. The vulnerability occurs in this case within the
file cpaint2.inc.php @ lines 169-172
// determine response type
if (isset($_REQUEST['cpaint_response_type'])) {
$this->response_type = strtoupper((string)
$_REQUEST['cpaint_response_type']);
} // end: if
The above code causes the response_type variable to become
whatever the attacker wants it to be, and is later used in
a switch statement where it is echoed back to the end user.
This vulnerability can lead to disclosure of client side
data and possibly aid in social attacks.
Solution:
Thanks to Paul Sullivan for a very quick resolution to this
issue ( about 24hrs, very good :) ) A new version of CPAINT
is now available and users should upgrade to CPAINT 2.0.3
http://cpaint.booleansystems.com/forums/viewtopic.php?t=98
The above url contains additional download information such
as where to find the latest available version.
Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&article_id=00097-02092006
Powered by blists - more mailing lists