fixing XSS issues in RMSOFT donwload plus
RMSOFT XSS Vulnerability
report:
http://lostmon.blogspot.com/2008/08/rmsoft-downloads-plus-two-scripts-two.html
###################
FIX $key variable
###################
open modules/rmdp/include/rmdp_functions.php
arround line 314 found function rmdp_make_searchnav()
found this code:
#####################
[code]
function rmdp_make_searchnav(){
global $xoopsDB, $xoopsTpl, $xoopsModule;
$xoopsTpl->assign('lng_allweb', sprintf(_RMDP_ALL_WEB, $xoopsModule->getVar('name')));
$xoopsTpl->assign('lng_search_button',_RMDP_SEARCH_BUTTON);
$key = isset($_POST['key']) ? $_POST['key'] : (isset($_GET['key']) ?($_GET['key'] : '');
$xoopsTpl->assign('key', $key);
[/code]
the variable $key is vulnerable in GET & POST.
Now add htmlspecialchars() function:
change for this other:
[code]
function rmdp_make_searchnav(){
global $xoopsDB, $xoopsTpl, $xoopsModule;
$xoopsTpl->assign('lng_allweb', sprintf(_RMDP_ALL_WEB, $xoopsModule->getVar('name')));
$xoopsTpl->assign('lng_search_button',_RMDP_SEARCH_BUTTON);
$key = isset($_POST['key']) ? htmlspecialchars($_POST['key']) : (isset($_GET['key']) ? htmlspecialchars($_GET['key']) : '');
$xoopsTpl->assign('key', $key);
[/code]
now variable is clean in functions, but we need to sanitize again in search.php...
open modules/rmdp/search.php
arround line 37 we found two request to $key variable:
[code]
$rmdp_location = 'search';
include('header.php');
$key = $_GET['key'];
if ($key==''){ $key=$_POST['key']; }
$cat = isset($_GET['cat']) ? $_GET['cat'] : (isset($_POST['cat']) ? $_POST['cat'] : 0);
[/code]
need a cleaning :S use again htmlspecialchars() y GET & POST
change by this other:
[code]$rmdp_location = 'search';
include('header.php');
$key = htmlspecialchars($_GET['key']);
if ($key==''){ $key=htmlspecialchars($_POST['key']); }
$cat = isset($_GET['cat']) ? $_GET['cat'] : (isset($_POST['cat']) ? $_POST['cat'] : 0);
[/code]
$cat aparently is sanitized , but if is a numeric value allways i ithink in use intval() like :
[code]
$cat = isset($_GET['cat']) ? intval($_GET['cat']) : (isset($_POST['cat']) ? intval($_POST['cat']) : 0);
[/code]
#############################
fix $id variable in down.php
#############################
open modules/down.php and arround line 38 found this code line:
[code]$id = $_GET['id'];[/code]
it´s a numerical variable value always and them...
yo can change by this other to sanitizing :
[code]$id = intval($_GET['id']);[/code]
##############€nd ######
Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Monday, August 11, 2008
FIX XSS in RMSOFT donwload plus
Post by Lostmon in 2:25:00 PM
Categories: bug, patch, security, vulnerability, XSS Enlaces a esta entrada
Yogurt Social Network fans.php uid variable XSS
##########################################
Yogurt Social Network fans.php uid variable XSS
Vendor url:http://sourceforge.net/project/
showfiles.php?group_id=204109
Advisore:http://lostmon.blogspot.com/2008/08/
yogurt-social-network-fansphp-uid.html
Vendor notify:no exploits availables:yes
##########################################
Yogurt Social Network is a social network php/Mysql script
module for multiple CMS Systems like Xoops,e-xoops,bcoos and
impressCMS and probably in all CMS based in Xoops code.
Yogurt Social Network contains a flaw that allows a remote
cross site scripting attack.This flaw exists because
the application does not validate 'uid' variable upon
submission to Multiple scripts script in yogurt module.
This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading loss ofintegrity.
##########
versions
##########
Yogurt Social Network 3.2 rc1
it affects This type CMS Systems if we
have instaled this module:
Xoops
e-xoops
ImpressCMS
Bcoos
and other that uses xoops code and this module.
############
Solution
############
No solution at this time !!!
###########
Examples
###########
http://localhost/impresscms/htdocs/modules/yogurt/fans.php?
uid=1">[XSS-CODE]
############## €nd ###################
Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Post by Lostmon in 4:55:00 AM
Categories: bug, security, vulnerability, XSS Enlaces a esta entrada
