Kshop module search variable and field remote XSS

Wednesday, August 06, 2008
##########################################
Kshop module search variable&field remote XSS
Vendor url:http://www.kaotik.biz/
Advisore:http://lostmon.blogspot.com/2008/08/
kshop-module-search-variable-and-field.html
Vendor notify:no exploit available:YES
##########################################


Kshop is a E-commerce php/Mysql script module for
multiple CMS Systems like Xoops,e-xoops,bcoos and
impressCMS and probably in all CMS based in Xoops code.

Kshop contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the
application does not validate 'Search' variable and
search form field include in this module upon
submission to 'kshop_search.php' script in Kshop module.
This could allow a user to create a specially crafted form
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading loss of integrity.


#################
Versions
################·

Kshop module 2.22

i make a test with ImpressCMS
and this CMS in kshop module
have version 2.23 ????


it´s posible that prior versions
are affected too.

it affects This type CMS Systems if we
have instaled this module:

Xoops
e-xoops
ImpressCMS
Bcoos

and other that uses xoops code and this module.

###################
Solution
###################

At this moment ,no have solution...

but you can make a simple patch ,open kshop_search.php
inside kshop module folder arround line 45 you have
[code]

$xoopsTpl->assign('searchTerm',$_POST['search']);

you can use strip_tags() PHP function , like:

$xoopsTpl->assign('searchTerm',strip_tags($_POST['search']));

now it´s patched , because this remove all tags in the search variable.

or you can use htmlentities() PHP function for patch much more clean like :

$xoopsTpl->assign('searchTerm',htmlentities($_POST['search']));

or ,much moore restrictive:

$xoopsTpl->assign('searchTerm',htmlspecialchars($_POST['search']));

[/code]

Happy patch !!!

###################
Proof of Concept.
###################

This Issue could not exploit directly by URL
because the form field have a limitation of 20 chars
and we need a POST to exploit ,for that we can´t exploit
directly by url because it is a GET and we need a POST.

This is not a problem, we can make a form with the POST
and without any restriction in the form field for Exploit it

put some javascript or html code in the form field

Example: "><script>alert()</script>

its necesary that you put "> before the code.


<form action="http://[victim]/modules/kshop/kshop_search.php" method="POST">

<input type="text" name="search" value="Put your XSS Here !!!">

<input type="image" src="http://www.spymac.com/upload/2007/01/18/OQxsPeTzFN.gif"></form>




############## €nd ###################

Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Post by Lostmon in 10:47:00 AM
Categories: , , , ,
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...