[Full-disclosure] XSS bug in JAWS gadget Glossary (0.4-latestbeta (beta 2))

[[EMAIL PROTECTED]]

Small XSS Bug in JAWS gadget: Glossary all versions vulnerable 0.3 - 0.5 
latest beta (beta2)

STATUS: The vendor has been contacted and they fixed the bug but they 
havent released an official patch yet.
(You can find a provisional patch at the end of the file)

TECHNICAL INFO
================================================================
The Glossary gadget doesn't filter dangerous characters in the process of
adding a new word to the glossary, allowing the instertion of items
from "<script>alert(document.cookie)</script> to more complex code". 
Futhermore, the theft
of cookies and escalade of permissions ( in the case of someone with 
lower access than you inserts malicious code and tries to steal your 
access )

VULNERABLE VERSIONS
- --------------------------------------------------------------
0.4-LATEST BETA (2)
FIX
------------------------------------------------------------------
Replace the NewTerm function in GlossaryModel.php
for this new one.
/**
       * Adds a new term
       *
       * @acess   public
       * @param   string  $term Term
       * @param   string  $desc Term's description
       * @return  boolean Returns true if term was added
       */
      function NewTerm ($term, $desc)
      {
              //xss fix
              if(stristr($term, "<") || stristr($term, ">"))
                      $term = strip_tags($term);
              if(stristr($desc, "<") || stristr($desc, ">"))
                      $desc = strip_tags($desc);
              $sql = "INSERT INTO [[term]] (term, description, 
createtime, updatetime)
              VALUES ({term},{desc},NOW(),NOW())";
              $rs = $GLOBALS["app"]->DB->Execute ($sql, array ("term" 
=> $term,
                                                                                                               
"desc" => $desc));

              if ($rs) {
                      $GLOBALS["session"]->PushLastResponse 
(_t("GLOSSARY_TERM_ADDED"),
RESPONSE_NOTICE);
                      return true;
              } else {
                      $GLOBALS["session"]->PushLastResponse
(_t("GLOSSARY_ERROR_TERM_NOT_CREATED"), RESPONSE_ERROR);
                      return new JawsError 
(_t("GLOSSARY_ERROR_TERM_NOT_CREATED"),
_t("GLOSSARY_NAME"));
              }
      }

----------------------------------------------------------
Contact information
:Paulino Calderon
:[EMAIL PROTECTED]
:http://suckea.com/nah/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/