[<prev] [next>] [day] [month] [year] [list]
Message-ID: <6700F21FCDD7B44DBFF2133E45FEF9C545A4642181@whau.smb2go.net>
Date: Mon, 22 Feb 2010 11:02:50 +1300
From: CodeScan Labs Advisories <advisories@...escan.com>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: jQuery Validate 1.6.0 Demo Code Advisory
+----------------------------------------------+
ADVISORY – jQuery Validate 1.6.0 Demo Code
AFFECTED PACKAGES
> jQuery Validate 1.6.0
> SilverStripe 2.3.X to 2.3.5
Discovered By CodeScan.com
+----------------------------------------------+
Vendor's Website:
http://bassistance.de/jquery-plugins/jquery-plugin-validation/
CodeScan Labs (www.codescan.com), has recently
released a new source code scanning tool,
CodeScan. CodeScan is an advanced auditing tool
designed to check web application source code
for security vulnerabilities. CodeScan utilises
an intelligent source code parsing engine,
traversing execution paths and tracking the flow
of user supplied input.
During the ongoing testing of CodeScan PHP, the
jQuery.Validate demonstration code was discovered
within another project.
<<< CROSS SITE SCRIPTING THROUGH ECHO >>>
XSS in [form.php], folder [demo].
(Full Path:
$user = $_REQUEST['user'];
$pw = $_REQUEST['password'];
if($user && $pw && $pw == "foobar")
echo "Hi $user, welcome back."
<<< PROOF OF CONCEPT >>>
http://[host]/validate/demo/form.php?user=%3Cscript%3Ealert%28%27Proof%20of%20Concept%27%29;%3C/script%3E&password=foobar
<<< YES, WE REALISE THIS IS DEMO CODE >>>
A simple Google search unearthed a number of
results for the existence of this plugin/demo
within SVN repositories, as well as on live web
servers. Demo or not, it has been included in
distributions (Such as SilverStripe) – and has
been deployed in live environments.
<<< RESPONSIBLE DISCLOSURE >>>
We have attempted to make contact with the
author of this plugin, to no avail.
We successfully made contact with the
SilverStripe team who promptly tidied up.
Quick response, well done.
<<< EXPLICIT RECCOMENDATIONS >>>
SilverStripe Users: Upgrade to the latest
version of SilverStripe (2.3.6 at time of
writing), and ensure the file is deleted.
Other Users: Chances are you do not need
this file in your project, so delete the
[form.php] file. Otherwise, ensure proper
Sanitization.
<<< CLOSING NOTES >>>
You may be able to write secure code, but the
code you get from third parties can put you at
risk. Always review the code of third parties
(including/especially plug ins) – not doing so
puts you at unnecessary risk.
--
This message has been scanned for viruses and
dangerous content by Bizo EmailFilter, and is
believed to be clean.
Powered by blists - more mailing lists