Bugtraq: XSS vulnerability in XOOPS 2.0.5.1

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

XSS vulnerability in XOOPS 2.0.5.1

From: Chintan Trivedi <chesschintan () hotmail com>
Date: 21 Dec 2003 14:44:39 -0000




====================================================================
Advisory by Eye On Security Research Group - India www.eos-india.net 
====================================================================



1.==============================================================Product
2.===============================================================Vendor
3.========================================================Vulnerability
4.========================================================About Product
5.=============================================Details of vulnerability
6.==============================================================Exploit
7.==============================================================Credits




1. Product 
==========

XOOPS 2.0.5.1


2. Vendor
=========

www.xoops.org


3. Vulnerability
================

XSS vulnerability in module weblinks


4. About XOOPS
==============

        XOOPS is a dynamic OO (Object Oriented) based open source portal script written in PHP. XOOPS supports a number 
of databases, making XOOPS an ideal tool for developing small to large dynamic community websites, intra company 
portals, corporate portals, weblogs and much more. 


5. Details of vulnerability
===========================

        The weblinks module contains a file named "myheader.php" in /modules/mylinks/ directory. The code of the file 
is as follow : 

---------------------------------
include "../../mainfile.php";
$url = $HTTP_GET_VARS['url'];
$lid = intval($HTTP_GET_VARS['lid']);
.
.
.
<td class='bg4' align="center"><small>
<a target="main" href="ratelink.php?cid=<? echo $cid; ?>&amp;lid=<? echo $lid; ?>"><? echo _MD_RATETHISSITE; ?></a> | 
<a target="main" href="modlink.php?lid=<? echo $lid; ?>"><? echo _MD_MODIFY; ?></a> | <a target="main" 
href="brokenlink.php?lid=<? echo $lid; ?>"><? echo _MD_REPORTBROKEN; ?></a> | <a target='_top' href='mailto:?subject=<? 
echo $mail_subject; ?>&body=<? echo $mail_body;?>'><? echo _MD_TELLAFRIEND; ?></a> | <a target='_top' href="<? echo 
XOOPS_URL; ?>">Back to <? echo $xoopsConfig['sitename']; ?></a> | <a target='_top' href="<? echo $url; ?>">Close 
Frame</a>
</small>
.
.
-----------------------------------

        The value for variable "url" is used in line 
<a target='_top' href="<? echo $url; ?>">Close Frame</a>

        Thus an attacker can pass a javascript code as a value for variable url and get it executed as soon as the 
victim clicks the "Close Frame" link.


6. Exploit
==========

http://[target]/modules/mylinks/myheader.php?url=javascript:alert(document.cookie);

        Clicking the above link, the victim gets directed to a page containing a link "Close Frame" which is actually 
the javascript code inserted by the attacker. The cookie revealed is quite informatic for the attacker to login with 
the hijacked user (including admin) privileges. 


7. Credits
==========

Chintan Trivedi - http://www.hackersprogrammers.com
"Eye on Security Research Group - India " - www.eos-india.net

By Date By Thread

Current thread:

XSS vulnerability in XOOPS 2.0.5.1 Chintan Trivedi (Dec 22)