[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070702074256.21285.qmail@securityfocus.com>
Date: 2 Jul 2007 07:42:56 -0000
From: darkz.gsa@...il.com
To: bugtraq@...urityfocus.com
Subject: eTicket v.1.5.1.1 Multiple Cross-Site Scripting
eTicket v.1.5.1.1 Multiple Cross-Site Scripting
Author: Attila Gerendi (Darkz)
Date: June 29, 2007
Package: eTicket (http://eticket.sourceforge.net/)
Versions Affected: v.1.5.1.1 (Other versions may also be affected)
Severity: XSS
Input passed to "$_SERVER['REQUEST_URI']" in various scrips and includes is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of an affected site when malicious data is viewed.
Vulnerable code pieces:
user_login.php on line 7:
<form action="<?=$_SERVER['REQUEST_URI']?>" method="post" name="user_login">
admin_login.php on line 7:
"<form action="<?=$_SERVER['REQUEST_URI']?>" method="post" name="admin_login">"
user_group.php on line 15:
<form action="<?=$_SERVER['REQUEST_URI']?>" method="post">
rep.php on line 15:
<form action="<?=$_SERVER['REQUEST_URI']?>" method="post">
pref.php on line 15:
<form action="<?=$_SERVER['REQUEST_URI']?>" method="post">
my.php on line 15:
<form action="<?=$_SERVER['REQUEST_URI']?>" method="post">
main.php on line 216:
<form action="<?=$_SERVER['REQUEST_URI']?>" method="POST">
mail.php on line 16:
<form action="<?=$_SERVER['REQUEST_URI']?>" method="post">
cat.php on line 16:
<form action="<?=$_SERVER['REQUEST_URI']?>" method="post">
banlist_delete.php on line 13:
<form action="<?=$_SERVER['REQUEST_URI']?>" method="post">
banlist_delete.php on line 43:
<a href="<?=$_SERVER['REQUEST_URI']?>"><?=LANG_BACK_TO_LIST?></a>
banlist_addedit.php on line 27:
<form name="form" action="<?=$_SERVER['REQUEST_URI']?>" method="post" onsubmit="return validateForm(this);">
banlist_addedit.php on line 40:
<a href="<?=$_SERVER['REQUEST_URI']?>"><?=LANG_BACK_TO_LIST?></a>
banlist.php on line 41:
<form action="<?=$_SERVER['REQUEST_URI']?>" name="banlist">
searc_form.php
$surl=$_SERVER['PHP_SELF'].'?s='.$news;
$qs=preg_replace('/s=(basic|advanced)/', '', $_SERVER['QUERY_STRING']);
if ($qs != '') { $surl.=(substr($qs, 0, 1) == '&')?$qs:"&$qs"; }
?>
<input type="submit" name="search_submit" class="inputsubmit" value="<?=LANG_SEARCH?>">
[<a href="<?=$surl?>"><?=$stext?></a>]
Status:
1. Contacted the author at June 29, 2007 via sourceforge tracker (https://sourceforge.net/tracker/?func=detail&atid=725721&aid=1745220&group_id=132967).
2. The author concluded "I am not happy that this is a real bug, and therefore will be closed until further notice."
Solution:
-edit the source code to ensure the input is properly sanitized.
Powered by blists - more mailing lists