Author: Magistrat Date: 30/03/2003 Object: XOOPS glossary Module Input Filtering Bug Allows Remote Users to Conduct Cross-Site Scripting Attacks Impact: Disclosure of authentication information, Execution of arbitrary code via network, Modification of user information, User access via network Fix: yes -------------------------------------------------- After the module quizz and private message of xoops, i have found an another risk in glossary whit some test on Web sites using xoops versions 1.3.8 to 1.3.9 ( Glossary on V2.0 is not holed ) Description of glossary module : This is just the module on xoops who permit to make dictionnary with search engine. -------------------------------------------------- The vulnerability : A remote user can conduct cross-site scripting attacks against this module and send a message like this : <url=http://www.blocus-zone.com/modules/glossaire/glossaire-aff.php? lettre=<IMG%20SRC="http://www.blocus- zone.com/modules/news/images/topics/smblocus.gif">]click here for register</url> We obtain: http://www.blocus-zone.com/modules/news/images/topics/bugblocus.jpg ( Note that the code that we have presented here is not dangerous, however there is some codes much more malicious to steal the admin c o o k i e ) -------------------------------------------------- History: the team of xoops dévellopement as her community was prevented on 11/24/2003. Patch are not available by xoops developer. Moreover, the author of the glossary module for 1.3.x versions, work now for an another content management system. Solution: in glossaire-aff.php, add this script : ----------------------------------------------- foreach ($_REQUEST as $key=>$value) { $value=htmlspecialchars($value,ENT_QUOTES); ${$key} = $value; $_GET[$key] = $value; $HTTP_GET_VARS[$key] = $value; } ----------------------------------------------- thanks: to frogman from phpsecure.org > http://www.phpsecure.org (sorry for my poor english ) Regards Magistrat
