XSS in e107 website system

From: Pete Foster (petef@sec-tec.co.uk)
Date: Fri Jul 25 2003 - 02:11:12 PDT

Next message: Kent Borg: "ssh host key generation in Red Hat Linux"

Previous message: http-equivat_private: "TEXT/PLAIN: ALERT("OUTLOOK EXPRESS")"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sec-Tec Advisory - Multiple XSS in e107

The most up to date version of this advisory can always be found at:
www.sec-tec.co.uk/vulnerability/e107xss.html

Advisory creation date:	14th July 2003
Product:		e107 blog/portal system
Tested version:		0.554
Vulnerability:		Multiple XSS
Discoverd by:		Pete Foster - Sec-Tec Ltd (www.sec-tec.co.uk)

Product:
e107 is what is commonly known as a CMS, or content management system. It
gives you a completely interactive website without the need to learn HTML,
PHP etc.

Description:
During a penetration test of a clients network, XSS issues were found with
the e107 application.  The application uses custom tags that allow users to
format text without using html.  A flaw in the sanitization of these tags
allows a user to insert code into the generated html.  This vulnerability
could be used to steal cookie data.  The vulnerability can be exploited by
non authenticated uses due to the "Chatbox" feature of the site.  The
Chatbox allows users to post messages anonymously, these messages appearing
in the main templete of all pages.

Affected object:
The file that is responsible for processing the custom tags is class2.php,
the function being tp($text, $mode="off").

Exploit:
On pages where the custom tags can be entered (Chatbox, forum posts) the
following tags can be manipulated.
[img][/img] - [img]/imgsrc.png' onmouseover='alert("Vulnerable");[/img]
[link][/link] - [link]/link.htm" onmouseover="alert('Vulnerable');[/link]
[email][/email] - [email]/fooat_private"
onmouseover="alert('Vulnerable');[/email]
[url][/url] - [url]/url.htm" onmouseover="alert('Vulnerable');[/url]

Fix:
Add a filter to the search/replace array in class2.php (function tp) that
removes script code.  (ie onMouseOver, onClick etc)

Release timeline:
Vulnerability discovered:	June 13th 2003
Vendor notified:		June 20th 2003
Vendor response:		No response
Public release:			24th July 2003

If using this document, please link to:
http://www.sec-tec.co.uk/vulnerability/e107xss.html

Next message: Kent Borg: "ssh host key generation in Red Hat Linux"
Previous message: http-equivat_private: "TEXT/PLAIN: ALERT("OUTLOOK EXPRESS")"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jul 25 2003 - 11:16:59 PDT