Xoops RC3 script injection vulnerability

From: dasat_private
Date: Tue Sep 24 2002 - 06:58:50 PDT

Next message: Rossen Raykov: "JSP source code exposure in Tomcat 4.x"

Previous message: Ron DuFresne: "[Full-Disclosure] Slapper worm redux;"
Next in thread: Sergio: "Re: Xoops RC3 script injection vulnerability"
Reply: Sergio: "Re: Xoops RC3 script injection vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

--------------------------------------------
| Xoops RC3 script injection vulnerability |
--------------------------------------------


PROGRAM: Xoops
VENDOR: http://www.xoops.org/
VULNERABLE VERSIONS: RC3.0.4,possibly previous versions
IMMUNE VERSIONS: no immune current versions
SEVERITY: high


Product Description
=================== 
"XOOPS is a dynamic OO (Object Oriented) based open source portal script written in PHP. XOOPS is the ideal tool for developing small to large dynamic community websites, intra company portals, corporate portals, weblogs and much more." dixit vendor website.
It can be found at http://www.xoops.org


Tested version
==============
Xoops RC3.0.4, current version (maybe previous versions are also vulnerables).


Description
============ 
The problem appears when a user post a news, a vulnerability exists in Xoops RC3 that allow a typical IMG attack against visitors :

<IMG SRC="javascript:[javascript]"> 


The problem
=========== 
A badly disposed member can propose a news containing code (for une news containing code sample of a new vulnerability for example) and if webmasters or moderators don't take care, they will approve the news.


Vendor status
=============
I wanted to inform someone from Xoops.org but the website wasn't available, so I informed the French team. They weren't aware of this problem so they transmitted it to the Dev Team. The Dev Team had already located the vulnerability which is not specific to Xoops but with much of scripts.
In future version, a new filter will be inserted in the textsanitizer to avoid even more this risk.


Solution
========
There's no secure release of Xoops, so the unique solution is, at this moment to disable Html in each post, to avoid the problem.


Links
=====
Vendor: http://www.xoops.org
Vendor French team: http://www.frxoops.org

This vulnerability's orginal paper can be found here: http://www.echu.org/modules/news/article.php?storyid=95


------------------------------
David Suzanne (aka dAs)
dasat_private
http://www.echu.org



Get your free encrypted email at https://www.hushmail.com

Next message: Rossen Raykov: "JSP source code exposure in Tomcat 4.x"
Previous message: Ron DuFresne: "[Full-Disclosure] Slapper worm redux;"
Next in thread: Sergio: "Re: Xoops RC3 script injection vulnerability"
Reply: Sergio: "Re: Xoops RC3 script injection vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 24 2002 - 08:15:09 PDT