SecurityTracker.com Archives - e107 Website System Input Validation Hole in Custom Format Tags Permits Remote Cross-Site Scripting Attacks

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Forum/Board/Portal) > e107 website system

Vendors: e107.org

e107 Website System Input Validation Hole in Custom Format Tags Permits Remote Cross-Site Scripting Attacks

SecurityTracker Alert ID: 1007309

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Jul 25 2003

Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information

Exploit Included: Yes

Version(s): 0.554

Description: Several input validation vulnerabilities were reported in the e107 website system. A remote user can conduct cross-site scripting attacks.

Sec-Tec issued an advisory warning that the application's custom formatting tags are not properly sanitized by the 'class2.php' script. The "Chatbox" feature allows remote users to post messages. A remote user can insert specially crafted text so that when a target user views the chat message, arbitrary scripting code will be executed by the target user's browser. The code will originate from the site running the e107 software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Some demonstration exploit tags are provided:

[img][/img] - [img]/imgsrc.png' onmouseover='alert("Vulnerable");[/img]
[link][/link] - [link]/link.htm" onmouseover="alert('Vulnerable');[/link]
[emai l][/email] - [email]/foo@bar.com" onmouseover="alert('Vulnerable');[/email]
[url][/url] - [url]/url.htm" onmouseover="alert('Vulnerable');[/url]

The following notification timeline is provided:

Vulnerability discovered: June 13th 2003
Vendor notified: June 20th 2003
Vendor response: No response
Public release: 24th July 2003

The original Sec-Tec advisory is available at:

http://www.sec-tec.co.uk/vulnerability/e107xss.html

Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the e107 software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution: No solution was available at the time of this entry.

Vendor URL: www.e107.org/ (Links to External Site)

Cause: Input validation error

Underlying OS: Linux (Any), UNIX (Any), Windows (Any)

Reported By: "Pete Foster" <petef@sec-tec.co.uk>

Message History: None.

Source Message Contents

Date: Fri, 25 Jul 2003 10:11:12 +0100
From: "Pete Foster" <petef@sec-tec.co.uk>
Subject: XSS in e107 website system

 


Sec-Tec Advisory - Multiple XSS in e107

The most up to date version of this advisory can always be found at:
www.sec-tec.co.uk/vulnerability/e107xss.html

Advisory creation date:	14th July 2003
Product:		e107 blog/portal system
Tested version:		0.554
Vulnerability:		Multiple XSS
Discoverd by:		Pete Foster - Sec-Tec Ltd (www.sec-tec.co.uk)

Product:
e107 is what is commonly known as a CMS, or content management system. It
gives you a completely interactive website without the need to learn HTML,
PHP etc.

Description:
During a penetration test of a clients network, XSS issues were found with
the e107 application.  The application uses custom tags that allow users to
format text without using html.  A flaw in the sanitization of these tags
allows a user to insert code into the generated html.  This vulnerability
could be used to steal cookie data.  The vulnerability can be exploited by
non authenticated uses due to the "Chatbox" feature of the site.  The
Chatbox allows users to post messages anonymously, these messages appearing
in the main templete of all pages.

Affected object:
The file that is responsible for processing the custom tags is class2.php,
the function being tp($text, $mode="off").

Exploit:
On pages where the custom tags can be entered (Chatbox, forum posts) the
following tags can be manipulated.
[img][/img] - [img]/imgsrc.png' onmouseover='alert("Vulnerable");[/img]
[link][/link] - [link]/link.htm" onmouseover="alert('Vulnerable');[/link]
[email][/email] - [email]/foo@bar.com"
onmouseover="alert('Vulnerable');[/email]
[url][/url] - [url]/url.htm" onmouseover="alert('Vulnerable');[/url]

Fix:
Add a filter to the search/replace array in class2.php (function tp) that
removes script code.  (ie onMouseOver, onClick etc)

Release timeline:
Vulnerability discovered:	June 13th 2003
Vendor notified:		June 20th 2003
Vendor response:		No response
Public release:			24th July 2003

If using this document, please link to:
http://www.sec-tec.co.uk/vulnerability/e107xss.html

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2002, SecurityGlobal.net LLC