Xoops Private Message System Script injection

From: Cabezon Aurélien (aurelien.cabezon@isecurelabs.com)
Date: 01/29/02

• Previous message: Cabezon Aurélien: "Xoops SQL fragment disclosure and SQL injection vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Cabezon Aurélien <aurelien.cabezon@isecurelabs.com>
To: <bugtraq@securityfocus.com>
Date: Tue, 29 Jan 2002 17:00:17 +0100

-- [ Xoops Private Message System Script injection ] --

Discovered on 29/01/2002
Vendor: http://xoops.sourceforge.net

-- [ Overview ] --

XOOPS is an open source portal script written extensively in object-oriented
PHP, backend with MySQL Database.

Xoops offers for members a Private Message System (mail like) that can be
abused in order to execute arbitrary Java Script
Code on other members computer when displaying the Private Message Box.

-- [ Description ]--

The variable coming from the field "Title" of the Private Message System is
not checked for bad input.
That allow malicious member to executed JavaScript code on other members
computer when displaying the Private Message Box.

-- [ Exploit ] --

Just input your JavaScript code into title field when composing the message.
The member who open his Private Messages Box will see a "Test" Windows
Popup.
This JavaScript is not so nasty, but some other can be...
( stolen cookies, Writing to Registry base under some circumstances)

For example:
JavaScript Can Write Anything to the Windows' Registry
http://www.securiteam.com/exploits/5FP080A5FM.html

-- [ Tested Version ] --

Xoops RC1

-- [ Discovered by ] --

Cabezon Aurelien | aurelien.cabezon@iSecureLabs.com
http://www.iSecureLabs.com | French Security portal

Regards,

---
Cabezon Aurélien | aurelien.cabezon@isecurelabs.com
http://www.iSecureLabs.com | French Security Portal
____________________________________________
" Sachez qu'aujourd'hui est le plus beau jour de votre vie,
car c'est le premier de ceux qu'il vous reste ŕ vivre "

---

• Previous message: Cabezon Aurélien: "Xoops SQL fragment disclosure and SQL injection vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Fabric for watercolor quilt ... Does this work where members have some characters in their email ... how do I send a private message? ... (rec.crafts.textiles.quilting) Re: now banned.. ... JimH's first message to me - a 'welcome' message, ... Stop insulting and flaming former members who left your NG and maybe it ... intentions and basically ignored him. ... This is a "Private Message" to you meaning it is between you and me and not ... (rec.boats) Re: Fabric for watercolor quilt ... if an e-mail address is 'made invalid to avoid scam' is click on the 'reply to sender' or whatever the terminology is in your system. ... Then, when the e-mail page comes up, amend the e-mail address as instructed in the group message (most people give instructions on how to alter the changed address so that it will work, in their sig. ... I don't know of a way to send a private message within RCTQ. ... Does this work where members have some characters in their email ... (rec.crafts.textiles.quilting) Re: relocating to u.s. with uk hubby ... The administrator has restricted use of the private message ... system to members with more than 3 posts. ... (misc.immigration.usa)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > bugtraq  > 2002-01