Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

XSS bug in JAWS gadget Glossary (0.4-latestbeta (beta 2))

From: "nah () suckea com" <nah () suckea com>
Date: Mon, 18 Apr 2005 17:51:13 -0700
Small XSS Bug in JAWS gadget: Glossary all versions vulnerable 0.3 - 0.5 latest beta (beta2)
STATUS: The vendor has been contacted and they fixed the bug but they havent released an official patch yet. 
(You can find a provisional patch at the end of the file)

TECHNICAL INFO
================================================================
The Glossary gadget doesn't filter dangerous characters in the process of
adding a new word to the glossary, allowing the instertion of items
from "<script>alert(document.cookie)</script> to more complex code". Futhermore, the theft of cookies and escalade of permissions ( in the case of someone with lower access than you inserts malicious code and tries to steal your access ) 

VULNERABLE VERSIONS
- --------------------------------------------------------------
0.4-LATEST BETA (2)

FIX
------------------------------------------------------------------

Replace the NewTerm function in GlossaryModel.php
for this new one.

/**
       * Adds a new term
       *
       * @acess   public
       * @param   string  $term Term
       * @param   string  $desc Term's description
       * @return  boolean Returns true if term was added
       */
      function NewTerm ($term, $desc)
      {
              //xss fix
              if(stristr($term, "<") || stristr($term, ">"))
                      $term = strip_tags($term);
              if(stristr($desc, "<") || stristr($desc, ">"))
                      $desc = strip_tags($desc);
$sql = "INSERT INTO [[term]] (term, description, createtime, updatetime) 
              VALUES ({term},{desc},NOW(),NOW())";
$rs = $GLOBALS["app"]->DB->Execute ($sql, array ("term" => $term, "desc" => $desc)); 

              if ($rs) {
$GLOBALS["session"]->PushLastResponse (_t("GLOSSARY_TERM_ADDED"), 
RESPONSE_NOTICE);
                      return true;
              } else {
                      $GLOBALS["session"]->PushLastResponse
(_t("GLOSSARY_ERROR_TERM_NOT_CREATED"), RESPONSE_ERROR);
return new JawsError (_t("GLOSSARY_ERROR_TERM_NOT_CREATED"), 
_t("GLOSSARY_NAME"));
              }
      }

----------------------------------------------------------
Contact information
:Paulino Calderon
:nah () suckea com
:http://suckea.com/nah/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: