hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
Full Version: E107 Web Portal User.php Xss
GovernmentSecurity.org > The Archives > Exploit Articles
qcred11
May 24 2004, 06:07 PM
QUOTE



Severity: Medium

Title: e107 web portal user.php xss

Date: May 21, 2004

-------------------------------------------------

  Synopsis:

All versions of e107 have a vulnerability that

allows javascript or html content in user.php.


  Description:

All versions of e107 have a vulnerability that

allows xss or html tags and content to be posted to the

Website URL for a member.



The Problem lies within the usersettings.php

which does not parse < > ( ) tags thus allowing any

user to insert a javascript or html. The problem is

in user.php where the information is displayed. When someone updates their url, AIM or MSN
field with malicious content it is displayed without being correctly parsed. Here is an
example of how the input might be crafted:

URL field:

http://www.mysiteurl.com/<script>ale...e)</script&g
t;


AIM/MSN field: &lt;script&gt;alert(document.cookie)&lt;/script&gt;


Now whenever a user visits that members profile they

will get a javascript popup with their cookie

information while the link will just show:

http://www.mysiteurl.com/

and when the link is clicked on it will take the user

to mysiteurl.com.


  Impact:

This may lead to cookie information being

stolen or other such xss attacks.


  Solution:



edit user.php from lines 233 to 261 to read. Remove spaces in the replace string so that
& lt ; etc will form one word:



</td></tr> ";

$source = $user_aim;

//check for bad input and convert it to ISO-8859-1

$bad =  array("<",">","(",")");

$replace = array("& lt ;","& gt ;","& #40
;","& #41 ;");

$user_aim = str_replace($bad, $replace, $source);

foreach($user_aim as $aim) {

$user_aim = $aim;

}

$str .= "

                <td style='width:80%'class='forumheader3'>

                        <table style='width:100%'><tr><td
style='width:30%'> <img
src='".e_IMAGE."generic/aim.png' alt=''
style='vertical-align:middle' /> ".LAN_116."</td><td
style='width:70%; text-align:right'>".($user_aim ? $user_aim :
"<i>".LAN_401."</i>")."</td></tr></tab
le>

                </td></tr>



                <td style='width:80%'class='forumheader3'>
";

$source = $user_msn;

$user_msn = str_replace($bad, $replace, $source);

foreach($user_msn as $msn) {

$user_msn = $msn;

}

$str .= "

                <table style='width:100%'><tr><td
style='width:30%'> <img
src='".e_IMAGE."generic/msn.png' alt=''
style='vertical-align:middle' /> ".LAN_117."</td><td
style='width:70%; text-align:right'>".($user_msn ? $user_msn :
"<i>".LAN_401."</i>")."</td></tr></tab
le>

                </td></tr> ";

$source = $user_homepage;

$user_homepage = str_replace($bad, $replace, $source);

foreach($user_homepage as $homepage) {

$user_homepage = $homepage;

}

$str .= "

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.