Full Disclosure mailing list archives
XSS bug in JAWS gadget Glossary (0.4-latestbeta (beta 2))
From: "nah () suckea com" <nah () suckea com>
Date: Mon, 18 Apr 2005 17:51:13 -0700
Small XSS Bug in JAWS gadget: Glossary all versions vulnerable 0.3 - 0.5 latest beta (beta2)
STATUS: The vendor has been contacted and they fixed the bug but they havent released an official patch yet.
(You can find a provisional patch at the end of the file) TECHNICAL INFO ================================================================ The Glossary gadget doesn't filter dangerous characters in the process of adding a new word to the glossary, allowing the instertion of itemsfrom "<script>alert(document.cookie)</script> to more complex code". Futhermore, the theft of cookies and escalade of permissions ( in the case of someone with lower access than you inserts malicious code and tries to steal your access )
VULNERABLE VERSIONS - -------------------------------------------------------------- 0.4-LATEST BETA (2) FIX ------------------------------------------------------------------ Replace the NewTerm function in GlossaryModel.php for this new one. /** * Adds a new term * * @acess public * @param string $term Term * @param string $desc Term's description * @return boolean Returns true if term was added */ function NewTerm ($term, $desc) { //xss fix if(stristr($term, "<") || stristr($term, ">")) $term = strip_tags($term); if(stristr($desc, "<") || stristr($desc, ">")) $desc = strip_tags($desc);$sql = "INSERT INTO [[term]] (term, description, createtime, updatetime)
VALUES ({term},{desc},NOW(),NOW())";$rs = $GLOBALS["app"]->DB->Execute ($sql, array ("term" => $term, "desc" => $desc));
if ($rs) {$GLOBALS["session"]->PushLastResponse (_t("GLOSSARY_TERM_ADDED"),
RESPONSE_NOTICE); return true; } else { $GLOBALS["session"]->PushLastResponse (_t("GLOSSARY_ERROR_TERM_NOT_CREATED"), RESPONSE_ERROR);return new JawsError (_t("GLOSSARY_ERROR_TERM_NOT_CREATED"),
_t("GLOSSARY_NAME")); } } ---------------------------------------------------------- Contact information :Paulino Calderon :nah () suckea com :http://suckea.com/nah/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- XSS bug in JAWS gadget Glossary (0.4-latestbeta (beta 2)) nah () suckea com (Apr 18)