lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <42645601.4070001@suckea.com>
Date: Tue Apr 19 01:50:38 2005
From: nah at suckea.com (nah@...kea.com)
Subject: XSS bug in JAWS gadget Glossary (0.4-latestbeta
	(beta 2))

Small XSS Bug in JAWS gadget: Glossary all versions vulnerable 0.3 - 0.5 
latest beta (beta2)

STATUS: The vendor has been contacted and they fixed the bug but they 
havent released an official patch yet.
(You can find a provisional patch at the end of the file)

TECHNICAL INFO
================================================================
The Glossary gadget doesn't filter dangerous characters in the process of
adding a new word to the glossary, allowing the instertion of items
from "<script>alert(document.cookie)</script> to more complex code". 
Futhermore, the theft
of cookies and escalade of permissions ( in the case of someone with 
lower access than you inserts malicious code and tries to steal your 
access )

VULNERABLE VERSIONS
- --------------------------------------------------------------
0.4-LATEST BETA (2)

FIX
------------------------------------------------------------------
 
Replace the NewTerm function in GlossaryModel.php
for this new one.

/**
        * Adds a new term
        *
        * @acess   public
        * @param   string  $term Term
        * @param   string  $desc Term's description
        * @return  boolean Returns true if term was added
        */
       function NewTerm ($term, $desc)
       {
               //xss fix
               if(stristr($term, "<") || stristr($term, ">"))
                       $term = strip_tags($term);
               if(stristr($desc, "<") || stristr($desc, ">"))
                       $desc = strip_tags($desc);

               $sql = "INSERT INTO [[term]] (term, description, 
createtime, updatetime)
               VALUES ({term},{desc},NOW(),NOW())";
               $rs = $GLOBALS["app"]->DB->Execute ($sql, array ("term" 
=> $term,
                                                                                                                
"desc" => $desc));

               if ($rs) {
                       $GLOBALS["session"]->PushLastResponse 
(_t("GLOSSARY_TERM_ADDED"),
RESPONSE_NOTICE);
                       return true;
               } else {
                       $GLOBALS["session"]->PushLastResponse
(_t("GLOSSARY_ERROR_TERM_NOT_CREATED"), RESPONSE_ERROR);
                       return new JawsError 
(_t("GLOSSARY_ERROR_TERM_NOT_CREATED"),
_t("GLOSSARY_NAME"));
               }
       }

----------------------------------------------------------
Contact information
:Paulino Calderon
:nah@...kea.com
:http://suckea.com/nah/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ