[UNIX] Xoops Private Message System Script Injection

From: support@securiteam.com
Date: 02/03/02


From: support@securiteam.com
To: list@securiteam.com
Date: Sun,  3 Feb 2002 22:10:57 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Xoops Private Message System Script Injection
------------------------------------------------------------------------

SUMMARY

 <http://xoops.sourceforge.net/> Xoops is an open source portal script
written extensively in object-oriented PHP and backed with MySQL Database.
There are several security issues:
 - Xoops discloses the SQL query source
 - Xoops allow remote user to SQL query injection
 - Xoops is vulnerable to cross-site-scripting

DETAILS

Vulnerable systems:
Xoops version RC1

Immune systems:
Xoops version RC2

The userinfo.php script does not check for special meta-characters in
user's inputs
It is possible to make it crash using this kind of query:
http://xoops-site/userinfo.php?uid=1;

The error report will include:
-snip-
MySQL Query Error: SELECT u.*, s.* FROM x_users u, x_users_status s WHERE
u.uid=1; AND u.uid=s.uid
Error number:1064
Error message: You have an error in your SQL syntax near '; AND
u.uid=s.uid' at line 1
ERROR
-snip-

This discloses a lot of information that helps perform an SQL injection
attack, such as
http://xoops-site/userinfo.php?uid=1[SQL Query]

In addition, Xoops Private Message Box is vulnerable to cross site
scripting. For example:
http://xooped-site/pmlite.php?to_userid=[USER_ID_OF_TARGET]&msg_id=&image=foo.gif'><script alert("test");</script><img%20src='http://www.isecurelabs.com /images/barre.jpg&op=submit&theme=snow&subject=Are you sure ?&message=really?&submit=Submit

ADDITIONAL INFORMATION

More about SQL injection:
 <http://www.owasp.org/projects/asac/iv-sqlinjection.shtml>
http://www.owasp.org/projects/asac/iv-sqlinjection.shtml

The information has been provided by
<mailto:aurelien.cabezon@isecurelabs.com> Cabezon Aurelien.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages