lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 3 Jul 2007 10:53:15 +0300
From: "Attila Gerendi" <darkz.gsa@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: eTicket v.1.5.1.1 Multiple Cross-Site Scripting

 eTicket v.1.5.1.1 Multiple Cross-Site Scripting

Author: Attila Gerendi (Darkz)
Date: June 29, 2007
Package: eTicket (http://eticket.sourceforge.net/)
Versions Affected: v.1.5.1.1 (Other versions may also be affected)
Severity: XSS

Input passed to "$_SERVER['REQUEST_URI']" in various scrips and includes is
not properly sanitised before being used. This can be exploited to insert
arbitrary HTML and script code, which is executed in a user's browser
session in context of an affected site when malicious data is viewed.

Vulnerable code pieces:

user_login.php on line 7:
<form action="<?=$_SERVER['REQUEST_URI']?>" method="post" name="user_login">

admin_login.php on line 7:
"<form action="<?=$_SERVER['REQUEST_URI']?>" method="post"
name="admin_login">"

user_group.php on line 15:
<form action="<?=$_SERVER['REQUEST_URI']?>" method="post">

rep.php on line 15:
<form action="<?=$_SERVER['REQUEST_URI']?>" method="post">

pref.php on line 15:
<form action="<?=$_SERVER['REQUEST_URI']?>" method="post">

my.php on line 15:
<form action="<?=$_SERVER['REQUEST_URI']?>" method="post">

main.php on line 216:
<form action="<?=$_SERVER['REQUEST_URI']?>" method="POST">

mail.php on line 16:
<form action="<?=$_SERVER['REQUEST_URI']?>" method="post">

cat.php on line 16:
<form action="<?=$_SERVER['REQUEST_URI']?>" method="post">

banlist_delete.php on line 13:
<form action="<?=$_SERVER['REQUEST_URI']?>" method="post">

banlist_delete.php on line 43:
<a href="<?=$_SERVER['REQUEST_URI']?>"><?=LANG_BACK_TO_LIST?></a>

banlist_addedit.php on line 27:
<form name="form" action="<?=$_SERVER['REQUEST_URI']?>" method="post"
onsubmit="return validateForm(this);">

banlist_addedit.php on line 40:
<a href="<?=$_SERVER['REQUEST_URI']?>"><?=LANG_BACK_TO_LIST?></a>

banlist.php on line 41:
<form action="<?=$_SERVER['REQUEST_URI']?>" name="banlist">

searc_form.php

$surl=$_SERVER['PHP_SELF'].'?s='.$news;
$qs=preg_replace('/s=(basic|advanced)/', '', $_SERVER['QUERY_STRING']);
if ($qs != '') { $surl.=(substr($qs, 0, 1) == '&')?$qs:"&amp;$qs"; }

?>
    <input type="submit" name="search_submit" class="inputsubmit"
value="<?=LANG_SEARCH?>">
    [<a href="<?=$surl?>"><?=$stext?></a>]

Status:
1. Contacted the author at June 29, 2007 via sourceforge tracker (
https://sourceforge.net/tracker/?func=detail&atid=725721&aid=1745220&group_id=132967
).
2. The author concluded "I am not happy that this is a real bug, and
therefore will be closed until further notice."
3. After more work around on July 02 2007 the svn version was fixed.

Solution:
-edit the source code to ensure the input is properly sanitized.

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ