[UNIX] PHPX Web Portal Multiple Vulnerabilities

• Previous message: SecuriTeam: "[NEWS] Red-M Red-Alert Multiple Vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 12 Feb 2004 12:19:40 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  PHPX Web Portal Multiple Vulnerabilities
------------------------------------------------------------------------

SUMMARY

" <http://www.phpx.org> PHPX is a constantly evolving and changing Content
Management System (CMS). PHPX is highly customizable and high powered all
in one system. PHPX provides content management combined with the power of
a portal by including in the core package modules such as FAQ, polls, and
forums."

Multiple vulnerabilities were found in PHPX that allow an attack to inject
arbitrary script code, perform cross-site scripting and even hijack cookie
accounts.

DETAILS

Vulnerable Systems:
 * PHPX version 3.2.3 (possibly prior)

Immune Systems:
 * PHPX version 3.2.4

Cross-site Scripting
Vulnerabilities exist in the main.inc.php, help.inc.php files that would
allow an attacker to insert arbitrary code which would execute on the
client's browser. An example of such conditions can be demonstrated in the
following manner:

main.inc.php?keywords='>< scr!pt>alert(document.cookie)< /scr!pt>
help.inc.php?body='>< scr!pt>alert(document.cookie)< /scr!pt>

NOTE: In the examples above the 'script' tag has been replaced with
'scr!pt'.

HTML/Code Injection Flaw
Injection of malicious code is possible through the 'Subject' field in
both the Forum and Instant Messaging. An attack can inject specially
crafted code which would be triggered when a user views certain pages. A
scripting code crafted by the attack will then be executed at the user's
client side and could manipulate user profiles, post in forums and steal
cookie sessions.

Cookie Account Hijacking Vulnerability
A cookie written by PHPX contains a variable called PXL which PHPX uses in
order to authenticate users. It is possible to edit the PXL variable in
such a manner that would allow authentication as a different user and gain
access to their accounts. In fact, it is also possible to gain
administrative access which naturally means a full compromise of the
system in question.

Vendor Status:
The vendor has been notified and a newer version was released.

ADDITIONAL INFORMATION

The information has been provided by <mailto:mantra@lkm-zx.net> Manuel
Lopez.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NEWS] Red-M Red-Alert Multiple Vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]