logo Home

Untitled Document

Home > Archives Advisories > Articles


Untitled Document

Untitled Document

XOOPS glossary Module CSS
Date: 2003-04-03

Author : "fred magistrat" <magistrat@hotmail.com>

Author: Magistrat
Date: 30/03/2003
Object: XOOPS glossary Module Input Filtering Bug Allows Remote Users to
Conduct Cross-Site Scripting Attacks
Impact: Disclosure of authentication information, Execution of arbitrary
code via network, Modification of user information, User access via network
Fix: yes

--------------------------------------------------

After the module quizz and private message of xoops, i have found an another
risk in glossary whit some test on Web sites using xoops versions 1.3.8 to
1.3.9 ( Glossary on V2.0 is not holed )

Description of glossary module :

This is just the module on xoops who permit to make dictionnary with search
engine.

--------------------------------------------------
The vulnerability :

A remote user can conduct cross-site scripting attacks against this module
and send a message like this :

<url=http://www.blocus-zone.com/modules/glossaire/glossaire-aff.php?lettre=<IMG%20SRC="http://www.blocus-zone.com/modules/news/images/topics/smblocus.gif">]click

here for register</url>

We obtain:

http://www.blocus-zone.com/modules/news/images/topics/bugblocus.jpg

( Note that the code that we have presented here is not dangerous, however
there is some codes
much more malicious to steal the admin c o o k i e )

--------------------------------------------------
History:

the team of xoops dévellopement as her community was prevented on
11/24/2003. Patch are not available by xoops developer and the author of the
glossary module for 1.3.x versions, work now for an another content
management system.

Solution:

in glossaire-aff.php, add this script :
-----------------------------------------------

foreach ($_REQUEST as $key=>$value) {
$value=htmlspecialchars($value,ENT_QUOTES);
${$key} = $value;
$_GET[$key] = $value;
$HTTP_GET_VARS[$key] = $value;

-----------------------------------------------

thanks:
to frogman from phpsecure.org >
http://www.phpsecure.org

(sorry for my poor english )

Regards
Magistrat



 

arrowSearch Advisories

arrowNewsletter

Free weekly Newsletter.

Please enter your email address here:
arrowReport Vulnerability

If you've found a vulnerability please
click here to report it.
arrowPartners

newsnow

About Us | Contact Us | Advertise | email | Backend flag
Copyright © 2016-2017 Security Corporation - All Rights Reserved - Legal - Privacy Policy