XOOPS MyTextSanitizer CSS 1.3x & 2.x

[magistrat <magistrat () blocus-zone com>]

Author: Doxical & Magistrat
http://www.blocus-zone.com
Date: 25/04/2003

Object: XOOPS MyTextSanitizer Filtering Bug Allows Remote Users to Conduct 
Cross-Site Scripting Attacks in many modules: News, newbb, private 
messages, signatures etc...
Impact: Disclosure of authentication information, Execution of arbitrary 
code via network, Modification of user information, admin account 
hijacking.
Fix: yes

introduction

After glossary and gallery modules of xoops, we have found an another 
vulnerability in MytextSanitizer function who permit somme CSS injection 
in xoops versions 1.3.x to 2.x 

Description of the MyTextSanitizer script :

This is just the function on xoops who filters the unauthorized characters 
or malicious scripts.

The vulnerability :

A remote user can bypass Sanitizer and conduct cross-site scripting 
attacks with a post in a topic in board (newbb) send malicious private 
message to admin, insert script in the news comment...

Example : 

java script:alert%28document.cookie%29
with img tags

History: 

-the team of xoops.org was prevented on 04/21/2003
-Patch are now available since 04/25/2003

Regards