('binary' encoding is not supported, stored as-is) +/--------\-------- ALPER Research Labs ------/--------/+ +/---------\------- Security Advisory -----/---------/+ +/----------\------ ID: ARL02-A12 ----/----------/+ +/-----------\----- salperat_private ---/-----------/+ Advisory Information -------------------- Name : php(Reactor) Cross Site Scripting Vulnerability Software Package : php(Reactor) Vendor Homepage : http://phpreactor.org/ Vulnerable Versions: v1.2.7 and older Platforms : OS Independent, PHP Vulnerability Type : Input Validation Error Vendor Contacted : 15/05/2002 Vendor Replied : 15/05/2002 Prior Problems : N/A Current Version : v1.2.7pl1 (immune) Summary ------- php(Reactor) is a set of integrated applications focusing on user interaction. Included are articles, content management, bbs/forums, polls, ecards, and chat events. Administration is quick and easy with a browser-based control panel. A Cross Site Scripting vulnerability exists in php(Reactor). This would allow a remote attacker to send information to victims from untrusted web servers, and make it look as if the information came from the legitimate server. Details ------- The "browse.php", in the "comments" section does not filter user input for $go variable. So any user may craft a malicious link, and can gain information about users, and even may get the login information of the administrator. Here's the proof-of-concept link example; http://[target]/comments/browse.php?fid=2&tid=4&go=<script>alert (document.cookie)</script> Note that, the $fid and $tid variables should be integers. Solution -------- The vendor replied quickly, and has released a new version on 28/05/2002, which can be downloaded at http://sourceforge.net/project/showfiles.php? group_id=12105&release_id=91877 Credits ------- Discovered on 15, May, 2002 by Ahmet Sabri ALPER <salperat_private> ALPER Research Labs. References ---------- Product Web Page: http://www.phpreactor.org/
This archive was generated by hypermail 2b30 : Thu Jun 06 2002 - 10:57:02 PDT