|
====================================================================
Advisory by Eye On Security Research Group - India www.eos-india.net ==================================================================== 1...............................................................Product 2...............................................................Vendor 3.........................................................Vulnerability 4.........................................................About Product 5..............................................Details of vulnerability 6..............................................................Exploit 7..............................................................Credits 1. Product ========== XOOPS 2.0.5.1 2. Vendor ========= www.xoops.org 3. Vulnerability ================ XSS vulnerability in module weblinks 4. About XOOPS ============== XOOPS is a dynamic OO (Object Oriented) based open source portal script written in PHP. XOOPS supports a number of databases, making XOOPS an ideal tool for developing small to large dynamic community websites, intra company portals, corporate portals, weblogs and much more. 5. Details of vulnerability =========================== The weblinks module contains a file named "myheader.php" in /modules/mylinks/ directory. The code of the file is as follow : --------------------------------- include "../../mainfile.php"; $url = "">$lid = intval($HTTP_GET_VARS['lid']); . . . <td class='bg4' align="center"><small> <a target="main" href=""><? echo _MD_RATETHISSITE; ?></a> | <a target="main" href=""><? echo _MD_MODIFY; ?></a> | <a target="main" href=""><? echo _MD_REPORTBROKEN; ?></a> | <a target='_top' href=''><? echo _MD_TELLAFRIEND; ?></a> | <a target='_top' href="">Back to <? echo $xoopsConfig['sitename']; ?></a> | <a target='_top' href="">Close Frame</a> </small> . . ----------------------------------- The value for variable "url" is used in line <a target='_top' href="">Close Frame</a> Thus an attacker can pass a _javascript_ code as a value for variable url and get it executed as soon as the victim clicks the "Close Frame" link. 6. Exploit ========== http://[target]/modules/mylinks/myheader.php?url=""> Clicking the above link, the victim gets directed to a page containing a link "Close Frame" which is actually the _javascript_ code inserted by the attacker. The cookie revealed is quite informatic for the attacker to login with the hijacked user (including admin) privileges. 7. Credits ========== Chintan Trivedi - http://www.hackersprogrammers.com "Eye on Security Research Group - India " - www.eos-india.net |
- Re: [Full-Disclosure] XSS vulnerability in XOOPS 2.0.5.1 Chintan Trivedi
- Re: [Full-Disclosure] XSS vulnerability in XOOPS 2.0.... Chintan Trivedi
