[MajorSecurity #19] AutoRank <= 5.01 - Multiple XSS and cookie disclosure
[MajorSecurity #19] AutoRank <= 5.01 - Multiple XSS and cookie disclosure
------------------------------------------------------------
Software: AutoRank
Version: <=5.01
Type: Cross site scripting
Discovery Date: June, 23th 2006
Made public: July, 2nd 2006
Vendor: JMB SOFTWARE
Page: http://www.jmbsoft.com/
Rated as: Low Risk
Credits:
----------------------------------------------
Discovered by: David "Aesthetico" Vieira-Kurz
http://www.majorsecurity.de
Original Advisory:
----------------------------------------------
http://www.majorsecurity.de/advisory/major_rls19.txt
Affected Products:
----------------------------------------------
AutoRank PHP 3.02 and prior
AutoRank Pro 5.01 and prior
Contacted Vendor:
----------------------------------------------
I have contacted the vendor on June, 25th 2006 at 12:25 PM via e-mail.
The vendor replied to my e-mail on June, 26th 2006, but there's still no fix
available.
A copy of the e-mail is attached as screenshoot at the end of this text.
Description:
----------------------------------------------
AutoRank PHP is our next generation toplist software, written completely in PHP
and backed by a MySQL database.
AutoRank Professional is a complete top list software package.
It will keep a database of accounts, and the account holders can then send hits
to your site.
Requirements:
----------------------------------------------
register_globals = On
Vulnerability:
----------------------------------------------
Input passed to the "Keyword" parameter in "search.php" and "Username"
parameter in "main.cgi" isn't properly sanitised before being returned to the
user.
This can be exploited to execute arbitrary HTML and script code in a user's
browser session in context of an affected site.
Solution(Against XSS-attacks):
----------------------------------------------
Edit the source code to ensure that input is properly sanitised.
You should work with "htmlspecialchars()" or "strip_tags()" php-function to
ensure that html tags
are not going to be executed.
Example:
<?php
echo htmlspecialchars("<script");
?>
Set "register_globals" to "Off".
Screenshoots:
----------------------------------------------
http://majorsecurity.de/advisory/AutoRank.JPG
http://majorsecurity.de/advisory/jmb_reply.JPG