Author: Magistrat http://www.blocus-zone.com magistrat@blocus-zone com Date: 11/11/2002 Object: IMG bug in quizz module risk: Medium-high advisory url: http://www.blocus-zone.com/modules/news/article.php?storyid=180 ----------------------------------------------------- After having highlighted with echu.org an IMG vulnerability for to xoops and phpnuke, i found an another risk on different kind of portal with the module quizz. Description of quizz : This is just the module who permit to a webmaster to propose quiz, with a good administration in the elaboration of answers/questions and explanations in case of wrong answers. Quiz for xoops is an adaptation of phpnuke. As for the news module of xoops or phpnuke, quizz does not escape to the confidential problem who asserts himself between a webmaster and his member, because options of this module permit to propose on-line questions by members. ------------------------------------------------------ The vulnerability : If the moderating/administrator of this module allows the on line development of questions, he takes a risk like this : <IMG SRC="javascript:alert('blocus-zone')"> placed in a multiple answer. ( Note that the code that we have a presented here is not dangerous, however there is some codes much more malicious for the subtilization of admin cookie ) to verify questions elaborated by his member, the moderator or admin goes to visualize before the proposal, even then , a pop up creates a page in his final form to give a visualization to the approver of questions/quiz, and this cause automatically the bug on browser, without that the administrator or the moderator have not been able to perceive him before. ------------------------------------------------------ Demonstration and translation on this page : http://www.blocus-zone.com/modules/news/article.php?storyid=180 xoops as well as the creators of this modules has prevented, but to my great disappointment, no answer and no patch was given to me, and this since 1 week. Regards Magistrat (sorry for my poor english, i'm french)
