Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Xoops RC3 script injection vulnerability

From: das () hush com
Date: Tue, 24 Sep 2002 06:58:50 -0700

--------------------------------------------
| Xoops RC3 script injection vulnerability |
--------------------------------------------


PROGRAM: Xoops
VENDOR: http://www.xoops.org/
VULNERABLE VERSIONS: RC3.0.4,possibly previous versions
IMMUNE VERSIONS: no immune current versions
SEVERITY: high


Product Description
=================== 
"XOOPS is a dynamic OO (Object Oriented) based open source portal script written in PHP. XOOPS is the ideal tool for 
developing small to large dynamic community websites, intra company portals, corporate portals, weblogs and much more." 
dixit vendor website.
It can be found at http://www.xoops.org


Tested version
==============
Xoops RC3.0.4, current version (maybe previous versions are also vulnerables).


Description
============ 
The problem appears when a user post a news, a vulnerability exists in Xoops RC3 that allow a typical IMG attack 
against visitors :

<IMG SRC="javascript:[javascript]"> 


The problem
=========== 
A badly disposed member can propose a news containing code (for une news containing code sample of a new vulnerability 
for example) and if webmasters or moderators don't take care, they will approve the news.


Vendor status
=============
I wanted to inform someone from Xoops.org but the website wasn't available, so I informed the French team. They weren't 
aware of this problem so they transmitted it to the Dev Team. The Dev Team had already located the vulnerability which 
is not specific to Xoops but with much of scripts.
In future version, a new filter will be inserted in the textsanitizer to avoid even more this risk.


Solution
========
There's no secure release of Xoops, so the unique solution is, at this moment to disable Html in each post, to avoid 
the problem.


Links
=====
Vendor: http://www.xoops.org
Vendor French team: http://www.frxoops.org

This vulnerability's orginal paper can be found here: http://www.echu.org/modules/news/article.php?storyid=95


------------------------------
David Suzanne (aka dAs)
das () echu org
http://www.echu.org



Get your free encrypted email at https://www.hushmail.com
Previous By Date Next
Previous By Thread Next

Current thread: