Props 0.6.1 Xss And Remote File Viewing

Full Version: Props 0.6.1 Xss And Remote File Viewing

GovernmentSecurity.org > The Archives > Exploit Articles

qcred11

May 2 2004, 10:03 PM

QUOTE

#Title: Props 0.6.1 XSS and Remote File Viewing Vulnerability.

#Software: Props 0.6.1
#Vendor: http://props.sourceforge.net/
#Platform: PHP4 and MySQL

#Description:

PROPS is an open, extensible Internet publishing system designed
specifically for periodicals such as newspapers and magazines who want to
publish online, either exclusively or as an extension of their print
publication.

#Vulnerabilities:

A flaw in lib/glossary.php discloses files on the system to Remote Users.
The function do_search() let Remote Users conduct Cross-Site scripting
attacks.

#Remote File Viewing#

A remote user can request a crafted URL to view files on the system.
The problem is in the function glossary_init() in lib/glossary.php.

#Example:

/?module=../config&format=php

This url shows you the php source of config.php (depending on the structure
of directories, it is only an example)

·.This is the vulnerable code:

function glossary_init() {

global $GLOSSARY, $MIME_TYPES, $HTTP_SERVER_VARS;

$GLOSSARY = array();

if (get_form_field("module") != "")
glossary_set("module", get_form_field("module"));
else
glossary_set("module", "displaysection");

if (get_form_field("section_id"))
glossary_set("section_id", intval(get_form_field("section_id")));
else
glossary_set("section_id", FRONTPAGE_SECTION_ID);

if (get_form_field("format") != "")
glossary_set("format", get_form_field("format"));
else
glossary_set("format", "html");

if (get_form_field("alternate_template_suffix") != "")
glossary_set("alternate_template_suffix",
get_form_field("alternate_template_suffix"));

if (get_form_field("edition_id") != "")
glossary_set("edition_id", intval(get_form_field("edition_id")));
else
glossary_set("edition_id", current_edition());

glossary_set("mime_type", $MIME_TYPES[glossary_get("format")]);

glossary_set("request_uri", $HTTP_SERVER_VARS["REQUEST_URI"]);

The function does not sanitize the $module and $format variables. A possible
solution can be to filter these variables against directory transversal and
format attack.

#Cross-Site Scripting#

archives/lib/do_search.php

The function do_search() does not sanitize properly. An XSS attack is
possible in $search_string.

#Example:

/?module=archives&op=search&search_string="><script>alert()</script>

·.Vulnerable code:

$search_string = get_form_field("search_string");
$search_string = ereg_replace("[;]", "", $search_string);
$search_string = addslashes($search_string);
glossary_set("search_string", $search_string);

#SOLUTIONS:

CVS has been updated and version 0.6.2 of props has been released. It also
contains some other small bug fixes.

For those that want to patch by hand, you need to make a total of 3 changes
to two files:

1. In props/lib/glossary.php change line 36 to:

glossary_set("module", ereg_replace("[^_a-zA-Z0-9]", "",
get_form_field("module")));

2. In props/lib/glossary.php replace lines 47-52 with:

// Default format is HTML
if (get_form_field("format") != "") {

// Make sure this output format is defined in config.php
if (array_key_exists(get_form_field("format"), $MIME_TYPES))
glossary_set("format", get_form_field("format"));
else
die ("Invalid format");

} else
glossary_set("format", "html");

3. In props/modules/archives/do_search.php change line 27 to:

$search_string = ereg_replace("[^_a-zA-Z0-9.,]", "", $search_string);

Version 0.6.2 of props available on the sourceforge.net website has these
changes and you can upgrade via your normal methods if you don't want to
patch by hand.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.