[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    e107 web portal user.php XSS (Cross Site Scripting)
From:       Chris Norton <kicktd () ramsecurity ! us>
Date:       2004-05-22 22:51:20
Message-ID: 20040522225120.8356.qmail () www ! securityfocus ! com
[Download RAW message or body]



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

-------------------------------------------------
R.A.M Security Advisory
-------------------------------------------------
http://www.ramsecurity.us
-------------------------------------------------
Severity: Medium
Title: e107 web portal user.php xss
Date: May 21, 2004
-------------------------------------------------

  Synopsis:

 All versions of e107 have a vulnerability that
allows javascript or html content in user.php.


  Description:

 All versions of e107 have a vulnerability that
allows xss or html tags and content to be posted to the
Website URL for a member.

 The Problem lies within the usersettings.php
which does not parse < > ( ) tags thus allowing any
user to insert a javascript or html. The problem is
in user.php where the information is displayed. When someone updates their url, AIM \
or MSN field with malicious content it is displayed without being correctly parsed. \
Here is an example of how the input might be crafted: 

URL field:
http://www.mysiteurl.com/&lt;script&gt;alert(document.cookie)&lt;/script&gt;

AIM/MSN field: &lt;script&gt;alert(document.cookie)&lt;/script&gt;

Now whenever a user visits that members profile they
will get a javascript popup with their cookie
information while the link will just show:

http://www.mysiteurl.com/

and when the link is clicked on it will take the user
to mysiteurl.com.

  Impact:

 This may lead to cookie information being
stolen or other such xss attacks.
 
  Solution:

edit user.php from lines 233 to 261 to read. Remove spaces in the replace string so \
that & lt ; etc will form one word:

</td></tr> ";
$source = $user_aim;
//check for bad input and convert it to ISO-8859-1
$bad =  array("<",">","(",")");
$replace = array("& lt ;","& gt ;","& #40 ;","& #41 ;");
 $user_aim = str_replace($bad, $replace, $source);
foreach($user_aim as $aim) {
$user_aim = $aim;
}
$str .= "
                <td style='width:80%'class='forumheader3'>
                        <table style='width:100%'><tr><td style='width:30%'> <img \
src='".e_IMAGE."generic/aim.png' alt=''  style='vertical-align:middle' /> \
".LAN_116."</td><td style='width:70%; text-align:right'>".($user_aim ? $user_aim : \
"<i>".LAN_401."</i>")."</td></tr></table>  </td></tr>

                <td style='width:80%'class='forumheader3'> ";
$source = $user_msn;
$user_msn = str_replace($bad, $replace, $source);
foreach($user_msn as $msn) {
$user_msn = $msn;
}
$str .= "
                <table style='width:100%'><tr><td style='width:30%'> <img \
src='".e_IMAGE."generic/msn.png' alt=''  style='vertical-align:middle' /> \
".LAN_117."</td><td style='width:70%; text-align:right'>".($user_msn ? $user_msn : \
"<i>".LAN_401."</i>")."</td></tr></table>  </td></tr> ";
$source = $user_homepage;
$user_homepage = str_replace($bad, $replace, $source);
foreach($user_homepage as $homepage) {
$user_homepage = $homepage;
}
$str .= "

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBQK8GK9X3ZZExQKX/EQLyOACg5TX3vqGnXlJpv6sWjkmPTkldG3EAn244
2fdinygjzW7EPp6Fve50QiKe
=MNjB
-----END PGP SIGNATURE-----


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic