Xoops Private Message System Script injection

[Cabezon Aurélien <aurelien.cabezon () isecurelabs com>]

-- [ Xoops Private Message System Script injection ] --

Discovered on 29/01/2002
Vendor: http://xoops.sourceforge.net

-- [ Overview ] --

XOOPS is an open source portal script written extensively in object-oriented
PHP, backend with MySQL Database.

Xoops offers for members a Private Message System (mail like) that can be
abused in order to execute arbitrary Java Script
Code on other members computer when displaying the Private Message Box.

-- [ Description ]--

The variable coming from the field "Title" of the Private Message System is
not checked for bad input.
That allow malicious member to executed JavaScript code on other members
computer when displaying the Private Message Box.

-- [ Exploit ] --

Just input your JavaScript code into title field when composing the message.
The member who open his Private Messages Box will see a "Test" Windows
Popup.
This JavaScript is not so nasty, but some other can be...
( stolen cookies, Writing to Registry base under some circumstances)

For example:
JavaScript Can Write Anything to the Windows' Registry
http://www.securiteam.com/exploits/5FP080A5FM.html

-- [ Tested Version ] --

Xoops RC1

-- [ Discovered by ] --

Cabezon Aurelien | aurelien.cabezon () iSecureLabs com
http://www.iSecureLabs.com | French Security portal


Regards,

---
Cabezon Aurélien | aurelien.cabezon () isecurelabs com
http://www.iSecureLabs.com | French Security Portal

____________________________________________
" Sachez qu'aujourd'hui est le plus beau jour de votre vie,
car c'est le premier de ceux qu'il vous reste à vivre "