('binary' encoding is not supported, stored as-is)
Author: Magistrat
Date: 30/03/2003
Object: XOOPS glossary Module Input Filtering Bug Allows Remote Users to
Conduct Cross-Site Scripting Attacks
Impact: Disclosure of authentication information, Execution of arbitrary
code via network, Modification of user information, User access via network
Fix: yes
--------------------------------------------------
After the module quizz and private message of xoops, i have found an
another risk in glossary whit some test on Web sites using xoops versions
1.3.8 to 1.3.9 ( Glossary on V2.0 is not holed )
Description of glossary module :
This is just the module on xoops who permit to make dictionnary with
search engine.
--------------------------------------------------
The vulnerability :
A remote user can conduct cross-site scripting attacks against this module
and send a message like this :
<url=
http://www.blocus-zone.com/modules/glossaire/glossaire-aff.php?
lettre=<IMG%20SRC="
http://www.blocus-
zone.com/modules/news/images/topics/smblocus.gif">]click here for
register</url>
We obtain:
http://www.blocus-zone.com/modules/news/images/topics/bugblocus.jpg
( Note that the code that we have presented here is not dangerous, however
there is some codes
much more malicious to steal the admin c o o k i e )
--------------------------------------------------
History:
the team of xoops dévellopement as her community was prevented on
11/24/2003. Patch are not available by xoops developer. Moreover, the
author of the glossary module for 1.3.x versions, work now for an another
content management system.
Solution:
in glossaire-aff.php, add this script :
-----------------------------------------------
foreach ($_REQUEST as $key=>$value) {
$value=htmlspecialchars($value,ENT_QUOTES);
${$key} = $value;
$_GET[$key] = $value;
$HTTP_GET_VARS[$key] = $value;
}
-----------------------------------------------
thanks:
to frogman from phpsecure.org >
http://www.phpsecure.org
(sorry for my poor english )
Regards
Magistrat
Received on Apr 02 2003
Intro
