ECHU Alert #2: IMG Attack in the news : 6 CMS vulnerables
From: das@hush.comDate: 09/25/02
- Previous message: Daniel Ahlberg: "GLSA: tomcat"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 24 Sep 2002 20:10:19 -0700 To: bugtraq@securityfocus.com From: das@hush.com
----------------------------------------------
| IMG Attack in the news : 6 CMS vulnerables |
----------------------------------------------
PROGRAM: XOOPS, PHP-NUKE, NPDS, daCode, Drupal, phpWebSite
VULNERABLE VERSIONS: I believe that all versions are vulnerables
IMMUNE VERSIONS: no immune current versions
SEVERITY: high
Tested version
==============
Xoops RC3.0.4, PHP-Nuke 6.0, NPDS 4.8 SuperCache, daCode 1.2.0, Drupal 4.0.0 and phpWebSite 0.8.3
Description
============
After having sent ECHU alert on "Xoops RC3 script injection vulnerability" (http://www.echu.org/modules/news/article.php?storyid=95), I realize that it's not a XOOPS problem (Kazumi Ono, XOOPS Developper, and Jan304, XOOPS Dutch Support, confirmed this) but a html problem that is hard to fix and can be misuse in almost every cms.
The problem appears when a user post a news, a vulnerability exists in these CMS that allow a typical IMG attack against visitors :
<IMG SRC="javascript:alert('unsecure')">
In order to test this vulnerability, you can go on websites that use these CMS, post a news with this code and see the result.
The problem
===========
A badly disposed member can propose a news containing code (for une news containing code sample of a new vulnerability for example) and if webmasters or moderators don't take care, they will approve the news.
Vendors status
==============
XOOPS: It should be fix in futures versions
PHP-NUKE: No emails on the website so we can't contact them
NPDS: They have been contacted by Magistrat (http://www.blocus-zone.com/) and should fix it in futures versions
daCode: No emails on the website so we can't contact them
Drupal: No emails on the website so we can't contact them
phpWebSite: It should be fix in futures versions
Solution
========
There's no secure release of these CMS, so the unique solution is, at this moment, to disable Html, in each news post, to avoid the problem. The "removehack" from NPDS doesn't fix the problem even if NPDS team tell it does.
Links
=====
XOOPS: http://www.xoops.org
PHP-NUKE: http://www.php-nuke.org
NPDS: http://www.npds.org
daCode: http://www.dacode.org
Drupal: http://www.drupal.org
phpWebSite: http://phpwebsite.appstate.edu
Blocus Advisory on NPDS: http://www.blocus-zone.com/modules/news/article.php?storyid=132
This vulnerability's orginal paper can be found here: http://www.echu.org/modules/news/article.php?storyid=97
David Suzanne (aka dAs)
das@echu.org
http://www.echu.org
-----------------------------------------------------------------
ECHU.ORG is not responsible for the misuse of the information we
provide through our security advisories. These advisories are a
service to the professional security community. In no event shall
ECHU.ORG be liable for any consequences whatsoever arising out of
or in connection with the use or spread of this information.
-----------------------------------------------------------------
Get your free encrypted email at https://www.hushmail.com
- Previous message: Daniel Ahlberg: "GLSA: tomcat"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
