[ARL02-A10] News-TNK Cross Site Scripting Vulnerability

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



+/--------\-------- ALPER Research Labs ------/--------/+
+/---------\-------  Security Advisory  -----/---------/+
+/----------\------    ID: ARL02-A10    ----/----------/+
+/-----------\----- salper@olympos.org  ---/-----------/+


Advisory Information
--------------------
Name               : News-TNK Cross Site Scripting 
Vulnerability
Software Package   : News-TNK
Vendor Homepage    : http://www.linux-sottises.net/
Vulnerable Versions: v1.2.1 and older
Platforms          : Linux
Vulnerability Type : Input Validation Error
Vendor Contacted   : 15/03/2002
Vendor Replied     : 15/03/2002
Prior Problems     : N/A
Current Version    : v1.2.2 (immune)


Summary
-------
News-TNK is script to submit, validate, unvalidate, 
comment, delete news on a website. Available in 
French and English at the present time.

A Cross Site Scripting vulnerability exists in 
News-TNK. This would allow a remote attacker 
to send information to victims from untrusted web 
servers, and make it look as if the information 
came from the legitimate server.


Details
-------
The URL's and the user input seem to be filtered 
pretty good. But I guess that the coders have missed 
a point. The "WEB" input when replying or creating 
topics, is not filtered enough. So a Cross Site 
Scripting vulnerability exists in News-TNK.


Example input for the "WEB" input
<script>alert("ALPERz was here!")</script>

After submitting this information, whenever anyone 
browses the page where the news message is, the 
malicious code will take effect.


Solution
--------
The vendor replied to my mail and released a new 
version which is immune to this vulnerability very 
quickly (on the same day :})

You may download the new version or use the 
method suggested by me, and approved by the 
vendor, if you have made any modifications to the 
news applet.

Strip HTML tags, and possibly other malicious code 
within "news_post.php" (or "news_post3.php). 

I suggest the following as a workaround;
At the beginning of "news_post.php" add the lines 
below;
# Patch Start
$web=strip_tags($web);
# Patch End
More info about the new version and patches can be 
found at: 
http://www.linux-sottises.net/software.php


Credits
-------
Discovered on 15, March, 2002 by 
Ahmet Sabri ALPER 
salper@olympos.org
http://www.olympos.org


References
----------
Product Web Page: http://www.linux-sottises.net/
[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux