Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
e107 Input Validation Hole in 'usersettings.php' Permits Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1010269
|
|
SecurityTracker URL: http://securitytracker.com/id?1010269
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: May 24 2004
|
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Exploit Included: Yes
|
Description: An input validation vulnerability was reported in e107. A remote authenticated user can conduct cross-site scripting attacks.
Chris Norton reported that 'usersettings.php' does not filter HTML code from user-supplied input before 'user.php' displays the information.
A remote authenticated user can submit specially crafted text so that when a target user views the information, arbitrary scripting
code will be executed by the target user's browser. The code will originate from the site running the e107 software and will run
in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication
cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take
actions on the site acting as the target user.
|
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the
e107 software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as
the target user.
|
Solution: No solution was available at the time of this entry.
The author of the report has provided an unofficial fix, described in the Source Message.
|
Vendor URL: www.e107.org/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: Chris Norton <kicktd@ramsecurity.us>
|
Message History:
None.
|
Source Message Contents
|
Date: 22 May 2004 22:51:20 -0000
From: Chris Norton <kicktd@ramsecurity.us>
Subject: e107 web portal user.php XSS (Cross Site Scripting)
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
-------------------------------------------------
R.A.M Security Advisory
-------------------------------------------------
http://www.ramsecurity.us
-------------------------------------------------
Severity: Medium
Title: e107 web portal user.php xss
Date: May 21, 2004
-------------------------------------------------
Synopsis:
All versions of e107 have a vulnerability that
allows javascript or html content in user.php.
Description:
All versions of e107 have a vulnerability that
allows xss or html tags and content to be posted to the
Website URL for a member.
The Problem lies within the usersettings.php
which does not parse < > ( ) tags thus allowing any
user to insert a javascript or html. The problem is
in user.php where the information is displayed. When someone updates their url, AIM or MSN field with
malicious content it is displayed
without being correctly parsed. Here is an example of how the input might be crafted:
URL field:
http://www.mysiteurl.com/<script>alert(document.cookie)</script>
AIM/MSN field: <script>alert(document.cookie)</script>
Now whenever a user visits that members profile they
will get a javascript popup with their cookie
information while the link will just show:
http://www.mysiteurl.com/
and when the link is clicked on it will take the user
to mysiteurl.com.
Impact:
This may lead to cookie information being
stolen or other such xss attacks.
Solution:
edit user.php from lines 233 to 261 to read. Remove spaces in the replace string so that & lt ; e
tc will form one word:
</td></tr> ";
$source = $user_aim;
//check for bad input and convert it to ISO-8859-1
$bad = array("<",">","(",")");
$replace = array("& lt ;","& gt ;","& #40 ;","& #4
1 ;");
$user_aim = str_replace($bad, $replace, $source);
foreach($user_aim as $aim) {
$user_aim = $aim;
$str .= "
<td style='width:80%'class='forumheader3'>
<table style='width:100%'><tr><td style='width:30%'> <im
g src='".e_IMAGE."generic/aim.png' alt='' style='vertical-align:middle'
/> ".LAN_116."</td><td style='width:70%; text-align:right'>".($user_ai
m ? $user_aim : "<i>".LAN_401."</i>")."</td></tr><
/table>
</td></tr>
<td style='width:80%'class='forumheader3'> ";
$source = $user_msn;
$user_msn = str_replace($bad, $replace, $source);
foreach($user_msn as $msn) {
$user_msn = $msn;
$str .= "
<table style='width:100%'><tr><td style='width:30%'> <img src='"
.e_IMAGE."generic/msn.png' alt='' style='vertical-align:middle'
/> ".LAN_117."</td><td style='width:70%; text-align:right'>".($user_ms
n ? $user_msn : "<i>".LAN_401."</i>")."</td></tr><
/table>
</td></tr> ";
$source = $user_homepage;
$user_homepage = str_replace($bad, $replace, $source);
foreach($user_homepage as $homepage) {
$user_homepage = $homepage;
$str .= "
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
iQA/AwUBQK8GK9X3ZZExQKX/EQLyOACg5TX3vqGnXlJpv6sWjkmPTkldG3EAn244
2fdinygjzW7EPp6Fve50QiKe
=MNjB
-----END PGP SIGNATURE-----
|
|
Go to the Top of This SecurityTracker Archive Page
|
