Smilehouse Oy
-= Security Advisory =-
Advisory: PHP Link Directory XSS Vulnerability
Release Date: 2007/01/21
Last Modified: 2007/01/21
Authors: Jussi Vuokko, CISSP [jussi.vuokko@xxxxxxxxxxxxxx]
Henri Lindberg, Associate of (ISC)² [henri.lindberg@xxxxxxxxxxxxxx]
Application: PHP Link Directory <= 3.0.6
Severity: XSS vulnerability within the administration
interface allow Cross Site Scripting attacks against
the link directory admin
Risk: Critical
Vendor Status: Vendor has released an updated version
References: http://www.smilehouse.com/advisory/phplinkdirectory_070121.txt
Overview:
Quote from http://www.phplinkdirectory.com
"phpLD is now the most widely used directory script on the
internet. Our customers having tested the script on over 10,000
websites has allowed us to bring you a script that works in
virtually all PHP hosting environments. Put simply, it just
works."
During an quick audit of PHP Link Directory it was discovered that
XSS vulnerability exist in the administration area. Thus, it is
possible for an attacker, tricking an admin, to validate submitted
link, and to perform any administrative actions in the link
directory. These include e.g. posting entries or adding additional
admin users.
Details:
PHP Link Directory failed to sanitize user input correctly on the
administration page. User can submit link (URL) containing
javascript which will be executed on the administration page after
selecting "Validate links" -> "Start". This is due to the URL being
saved without HTML encoding.
Proof of Concept:
Example of an URL:
http://www.example.com/index.html";><script>;alert('url');</script>
As "Validate links" -> "Start" is selected on the administration
page the javascript alert will pop up.
Workaround
Update to PHP Link Directory > 3.0.6.
Disclosure Timeline:
30. October 2006 - Contacted PHP Link Directory developers by email
1. December 2006 - Vender released an updated version
21. January 2007 - Advisory was released
Copyright 2007 Smilehouse Oy. All rights reserved.
