[SNS Advisory No.85] XOOPS Multiple Cross-site Scripting Vulnerabilities
----------------------------------------------------------------------
SNS Advisory No.85
XOOPS Multiple Cross-site Scripting Vulnerabilities
Problem first discovered on: Sun, 25 Sep 2005
Published on: Tue, 25 Oct 2005
----------------------------------------------------------------------
Severity Level:
---------------
Medium
Overview:
---------
Software XOOPS for building community websites contains multiple
cross-site scripting vulnerabilities.
Problem Description:
--------------------
XOOPS is software for building community websites written in PHP.
XOOPS is provided with the specific tag called "XOOPS Code" that allows
to register text with font attributes or images without HTML tag for
modules including private message and forum.
Flaw exists in a part of sanitizing processes when converting "XOOPS
Code" into HTML tag. Therefore, it is possible to register text with
arbitrary script for "XOOPS Code" available modules.
In addition, another flaw also exists only for forum module(newbb) and
it makes possible to submit text including arbitrary script to a forum.
If the vulnerabilities are exploited, attacker's script might be
executed when displaying a private message or a submitted message for
the forum. In this incident, users might be suffered from session
hijack and the screen could be manipulated freely by attackers after
the users logging in.
Affected Versions:
------------------
XOOPS 2.0.12 JP and prior versions
XOOPS 2.0.13.1 and prior versions
XOOPS 2.2.3 RC1 and prior versions
Solution:
---------
The vulnerabilities can be fixed by updating the software to any
version later than XOOPS 2.0.13 JP.
http://xoopscube.jp/modules/documents/index.php?id=1
Discovered by:
--------------
Keigo Yamazaki (LAC)
Thanks to:
----------
This SNS Advisory is being published in coordination with
Information-technology
Promotion Agency, Japan (IPA) and JPCERT/CC.
http://jvn.jp/jp/JVN%2377105349/index.html
http://www.ipa.go.jp/security/vuln/documents/2005/JVN_77105349_XOOPS.html
Disclaimer:
-----------
The information contained in this advisory may be revised without prior
notice and is provided as it is. Users shall take their own risk when
taking any actions following reading this advisory. LAC Co., Ltd.
shall take no responsibility for any problems, loss or damage caused
by, or by the use of information provided here.
This advisory can be found at the following URL:
http://www.lac.co.jp/business/sns/intelligence/SNSadvisory_e/85_e.html
----------------------------------------------------------------------