Xoops RC3 script injection vulnerability

Tue, 24 Sep 2002 07:49:28 -0700 


--------------------------------------------
| Xoops RC3 script injection vulnerability |
--------------------------------------------


PROGRAM: Xoops
VENDOR: http://www.xoops.org/
VULNERABLE VERSIONS: RC3.0.4,possibly previous versions
IMMUNE VERSIONS: no immune current versions
SEVERITY: high


Product Description
=================== 
"XOOPS is a dynamic OO (Object Oriented) based open source portal script written in 
PHP. XOOPS is the ideal tool for developing small to large dynamic community websites, 
intra company portals, corporate portals, weblogs and much more." dixit vendor website.
It can be found at http://www.xoops.org


Tested version
==============
Xoops RC3.0.4, current version (maybe previous versions are also vulnerables).


Description
============ 
The problem appears when a user post a news, a vulnerability exists in Xoops RC3 that 
allow a typical IMG attack against visitors :

<IMG SRC="javascript:[javascript]"> 


The problem
=========== 
A badly disposed member can propose a news containing code (for une news containing 
code sample of a new vulnerability for example) and if webmasters or moderators don't 
take care, they will approve the news.


Vendor status
=============
I wanted to inform someone from Xoops.org but the website wasn't available, so I 
informed the French team. They weren't aware of this problem so they transmitted it to 
the Dev Team. The Dev Team had already located the vulnerability which is not specific 
to Xoops but with much of scripts.
In future version, a new filter will be inserted in the textsanitizer to avoid even 
more this risk.


Solution
========
There's no secure release of Xoops, so the unique solution is, at this moment to 
disable Html in each post, to avoid the problem.


Links
=====
Vendor: http://www.xoops.org
Vendor French team: http://www.frxoops.org

This vulnerability's orginal paper can be found here: 
http://www.echu.org/modules/news/article.php?storyid=95


------------------------------
David Suzanne (aka dAs)
[EMAIL PROTECTED]
http://www.echu.org



Get your free encrypted email at https://www.hushmail.com

Reply via email to