[UNIX] CPAINT AJAX Library Cross Site Scripting

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



CPAINT AJAX Library Cross Site Scripting
------------------------------------------------------------------------


SUMMARY

"CPAINT (Cross-Platform Asynchronous INterface Toolkit) is a
multi-language toolkit that helps web developers design and implement AJAX
web applications with ease and flexibility."

CPAINT does not sanitize all user supplied data properly which leads to
cross site scripting. This makes not only CPAINT vulnerable, but the
applications that use CPAINT as a third party library.

DETAILS

Vulnerable Systems:
* CPAINT version 2.0.2 and prior

Immune Systems:
* CPAINT v ersion 2.0.3

There is a cross site scripting issue in CPAINT versions prior to 2.0.3
that allows for a malicious user to conduct cross site scripting attacks
against the application using the CPAINT libraries.

http://cpaint/script.php?cpaint_response_type=%3Ciframe%20src=http://www.gulftech.org/%3E

The above is an example of the Cross Site Scripting issue.

Note that script.php is just symbolic as the name of the script would
obviously be the script making use of the CPAINT library.

The vulnerability occurs in this case within the file cpaint2.inc.php @
lines 169-172:
// determine response type
if (isset($_REQUEST['cpaint_response_type'])) {
$this->response_type = strtoupper((string)
$_REQUEST['cpaint_response_type']);
} // end: if

The above code causes the response_type variable to become whatever the
attacker wants it to be, and is later used in a switch statement where it
is echoed back to the end user.
This vulnerability can lead to disclosure of client side data and possibly
aid in social attacks.

Vendor Status:
A new version of CPAINT is now available and users should upgrade to
CPAINT 2.0.3:
<http://cpaint.booleansystems.com/forums/viewtopic.php?t=98>
http://cpaint.booleansystems.com/forums/viewtopic.php?t=98


ADDITIONAL INFORMATION

The information has been provided by <mailto:security@xxxxxxxxxxxx>
GulfTech Security.
The original article can be found at:
<http://www.gulftech.org/?node=research&article_id=00097-02092006>
http://www.gulftech.org/?node=research&article_id=00097-02092006



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages