XSS vulnerability in XOOPS 2.0.5.1

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: XSS vulnerability in XOOPS 2.0.5.1
From: Chintan Trivedi <chesschintan@xxxxxxxxxxx>
Date: 21 Dec 2003 14:44:39 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm



====================================================================
Advisory by Eye On Security Research Group - India www.eos-india.net 
====================================================================



1.==============================================================Product
2.===============================================================Vendor
3.========================================================Vulnerability
4.========================================================About Product
5.=============================================Details of vulnerability
6.==============================================================Exploit
7.==============================================================Credits




1. Product 
==========

XOOPS 2.0.5.1


2. Vendor
=========

www.xoops.org


3. Vulnerability
================

XSS vulnerability in module weblinks


4. About XOOPS
==============

        XOOPS is a dynamic OO (Object Oriented) based open source portal script 
written in PHP. XOOPS supports a number of databases, making XOOPS an ideal 
tool for developing small to large dynamic community websites, intra company 
portals, corporate portals, weblogs and much more. 


5. Details of vulnerability
===========================

        The weblinks module contains a file named "myheader.php" in 
/modules/mylinks/ directory. The code of the file is as follow : 

---------------------------------
include "../../mainfile.php";
$url = $HTTP_GET_VARS['url'];
$lid = intval($HTTP_GET_VARS['lid']);
.
.
.
<td class='bg4' align="center"><small>
<a target="main" href="ratelink.php?cid=<? echo $cid; ?>&amp;lid=<? echo $lid; 
?>"><? echo _MD_RATETHISSITE; ?></a> | <a target="main" 
href="modlink.php?lid=<? echo $lid; ?>"><? echo _MD_MODIFY; ?></a> | <a 
target="main" href="brokenlink.php?lid=<? echo $lid; ?>"><? echo 
_MD_REPORTBROKEN; ?></a> | <a target='_top' href='mailto:?subject=<? echo 
$mail_subject; ?>&body=<? echo $mail_body;?>'><? echo _MD_TELLAFRIEND; ?></a> | 
<a target='_top' href="<? echo XOOPS_URL; ?>">Back to <? echo 
$xoopsConfig['sitename']; ?></a> | <a target='_top' href="<? echo $url; 
?>">Close Frame</a>
</small>
.
.
-----------------------------------

        The value for variable "url" is used in line 
<a target='_top' href="<? echo $url; ?>">Close Frame</a>

        Thus an attacker can pass a javascript code as a value for variable url 
and get it executed as soon as the victim clicks the "Close Frame" link.


6. Exploit
==========

http://[target]/modules/mylinks/myheader.php?url=javascript:alert(document.cookie);

        Clicking the above link, the victim gets directed to a page containing 
a link "Close Frame" which is actually the javascript code inserted by the 
attacker. The cookie revealed is quite informatic for the attacker to login 
with the hijacked user (including admin) privileges. 


7. Credits
==========

Chintan Trivedi - http://www.hackersprogrammers.com
"Eye on Security Research Group - India " - www.eos-india.net

Prev by Date: Re: Remote crash in tcpdump from OpenBSD
Next by Date: osCommerce SQL Injection && DoS && Cross Site Scripting
Previous by thread: PHP-NUKE version <= 6.9 'cid' sql injection exploit
Next by thread: osCommerce SQL Injection && DoS && Cross Site Scripting
Index(es):
- Date
- Thread