lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <BAY129-W28899C022909A601C7C798C7B30@phx.gbl>
Date: Wed, 7 Jul 2010 21:02:43 +0100
From: Andrei Rimsa <rimsa@...e.com>
To: <bugtraq@...urityfocus.com>
Subject: Pligg Installation File XSS Vulnerability


Title: Pligg Installation File XSS Vulnerability
Vendor: Pligg
Product: Pligg CMS
Tested Version: 1.0.4
Threat Class: XSS
Severity: Medium
Remote: yes
Local: no
Discovered By: Andrei Rimsa Alvares
 
===== Description =====
 
Pligg is prone to a XSS vulnerability in the installation file: install/install1.php. The variable "language" - obtained from an http request - can be manipulated to execute java script code via onmouseover like functions. Even with the two sanitizers used (strip_tags and addslashes) it is possible to bypass the double quote jail of the value field in the input tag by passing a double quote via the "language" variable.
 
----- install/install1.php -----
20:  <input type="hidden" name="language" value="<?php echo addslashes(strip_tags($_REQUEST['language'])); ?>">
----- install/install1.php -----
 
The sanitizer strip_tags prevents new tags to be used (like <script> and </script>) but it does not filter onmouseover type attacks. Addslashes inserts backslashes to escape special characters like double quote, but since html does not process escape sequences this sanitizer is useless to prevent breaking the double quote jail - regardless of magic_quotes is enabled or not.
 
===== Impact =====
 
Malicious java script code can be executed in the context of the affected web site.
 
===== Proof of Concept =====
 
A simple proof of concept demonstrating the double quote jail by passing is shown below. However, this attack is not exploitable because the input field is hidden.
 
http://target/install/install1.php?language=%22%20onmouseover=alert()%3E
 
To overcome this limitation and provided a real case attack scenario, we used a technique obtained from [1]. This attack attempts to increase the area of the affected input field to cover the whole screen. Once the mouse is moved anywhere on the screen, the onmouseover java script can be triggered to execute the malicious code. In this proof of concept, an alert containing the message "XSS" should be shown on the screen in case of mouse movement.
 
http://target/install/install1.php?language=%22%20style=a:b;margin-top:-1000px;margin-left:-100px;width:4000px;height:4000px;display:block;%20onmouseover=alert%28String.fromCharCode%2888,83,83%29%29;%3E
 
This attack venue exploited in this proof of concept had no effect on Google Chrome web browser, but was successfully exploited on Mozilla Firefox and others.
 
===== Workaround =====
 
Remove the installation directory after installation, as recommended during installation.
 
===== Disclosure Timeline =====
 
June, 16 2010 - Vendor notification.
June, 22 2010 - Vendor replied but did not acknowledge the bug.
June, 22 2010 - New contact attempted to provide more details about the bug.
July, 07 2010 - No vendor reply. Public disclosure.
 
===== References =====
 
1. http://www.packetstormsecurity.org/papers/bypass/workaround-xss.txt
2. http://www.pligg.com 		 	   		  
_________________________________________________________________
Hotmail: Powerful Free email with security by Microsoft.
https://signup.live.com/signup.aspx?id=60969

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ