<<< Date Index >>>     <<< Thread Index >>>

e107 web portal user.php XSS (Cross Site Scripting)




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

-------------------------------------------------
R.A.M Security Advisory
-------------------------------------------------
http://www.ramsecurity.us
-------------------------------------------------
Severity: Medium
Title: e107 web portal user.php xss
Date: May 21, 2004
-------------------------------------------------

  Synopsis:

 All versions of e107 have a vulnerability that
allows javascript or html content in user.php.


  Description:

 All versions of e107 have a vulnerability that
allows xss or html tags and content to be posted to the
Website URL for a member.

 The Problem lies within the usersettings.php
which does not parse < > ( ) tags thus allowing any
user to insert a javascript or html. The problem is
in user.php where the information is displayed. When someone updates their url, 
AIM or MSN field with malicious content it is displayed without being correctly 
parsed. Here is an example of how the input might be crafted: 

URL field:
http://www.mysiteurl.com/&lt;script&gt;alert(document.cookie)&lt;/script&gt;

AIM/MSN field: &lt;script&gt;alert(document.cookie)&lt;/script&gt;

Now whenever a user visits that members profile they
will get a javascript popup with their cookie
information while the link will just show:

http://www.mysiteurl.com/

and when the link is clicked on it will take the user
to mysiteurl.com.

  Impact:

 This may lead to cookie information being
stolen or other such xss attacks.
 
  Solution:

edit user.php from lines 233 to 261 to read. Remove spaces in the replace 
string so that & lt ; etc will form one word:

</td></tr> ";
$source = $user_aim;
//check for bad input and convert it to ISO-8859-1
$bad =  array("<",">","(",")");
$replace = array("& lt ;","& gt ;","& #40 ;","& #41 ;");
 $user_aim = str_replace($bad, $replace, $source);
foreach($user_aim as $aim) {
$user_aim = $aim;
}
$str .= "
                <td style='width:80%'class='forumheader3'>
                        <table style='width:100%'><tr><td style='width:30%'> 
<img src='".e_IMAGE."generic/aim.png' alt=''  style='vertical-align:middle' /> 
".LAN_116."</td><td style='width:70%; text-align:right'>".($user_aim ? 
$user_aim : "<i>".LAN_401."</i>")."</td></tr></table>
                </td></tr>

                <td style='width:80%'class='forumheader3'> ";
$source = $user_msn;
$user_msn = str_replace($bad, $replace, $source);
foreach($user_msn as $msn) {
$user_msn = $msn;
}
$str .= "
                <table style='width:100%'><tr><td style='width:30%'> <img 
src='".e_IMAGE."generic/msn.png' alt=''  style='vertical-align:middle' /> 
".LAN_117."</td><td style='width:70%; text-align:right'>".($user_msn ? 
$user_msn : "<i>".LAN_401."</i>")."</td></tr></table>
                </td></tr> ";
$source = $user_homepage;
$user_homepage = str_replace($bad, $replace, $source);
foreach($user_homepage as $homepage) {
$user_homepage = $homepage;
}
$str .= "

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBQK8GK9X3ZZExQKX/EQLyOACg5TX3vqGnXlJpv6sWjkmPTkldG3EAn244
2fdinygjzW7EPp6Fve50QiKe
=MNjB
-----END PGP SIGNATURE-----