|------------------------------------------------------------------| | __ __ | | _________ ________ / /___ _____ / /____ ____ _____ ___ | | / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ | | / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / | | \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ | | | | http://www.corelan.be:8800 | | security@corelan.be | | | |-------------------------------------------------[ EIP Hunters ]--| | | | Vulnerability Disclosure Report | | | |------------------------------------------------------------------| Advisory : CORELAN-10-002 Disclosure date : 10th January 2010 Corelan Reference: http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-002-simply-classifieds-v0.2-xss-and-csrf/ 0x00 : Vulnerability information -------------------------------- [*] Product : Simply Classifieds [*] Version : 0.2 [*] Vendor : http://orba-design.com/classified.html [*] URL : http://www.hotscripts.com/listing/simply_classifieds/ [*] Type of vulnerability : XSS and CSRF [*] Risk rating : Low [*] Issue fixed in version : [*] Vulnerability discovered by : mr_me [*] Greetings to : corelanc0d3r, rick2600, ekse & MarkoT from Corelan Team 0x01 : Vendor description of software ------------------------------------- From the vendor website: This simple classifed advertisment application was developed as a favour for a friend. I have now ceased development of this script and it is no longer available. 0x02 : Vulnerability details ---------------------------- XSS and CSRF: The author directly includes user controlled php variable into the HTML page ($ar and $description). edit_cats.php - line 86: Description: " autocomplete="off" size="40" maxlength="40" /> edit_adverts.php - line 120: $ar"; ?> In order to trigger the vulnerability, a user/admin must be tricked into clicking on a malicous url. This would allow a hacker to execute javascript code in the context of the user/admin and possibly gain administration access. 0x03 : Vendor communication --------------------------- [*] 16th December, 2009 : Vendor contacted [*] 3rd January 2010 : Vendor reminded of vulnerabilities [*] 10th January 2010 : Public Disclosure 0x04 : Exploit/PoC ------------------ 1st:
2nd: