1
Subject: XSS vulnerability in XOOPS 2.0.5.1
Date: 15:44, domenica 21 dicembre 2003
From: Chintan Trivedi
To: bugtraq@securityfocus.com
====================================================================
Advisory by Eye On Security Research Group - India http://www.eos-india.net
====================================================================
1.==============================================================Product
2.===============================================================Vendor
3.========================================================Vulnerability
4.========================================================About Product
5.=============================================Details of vulnerability
6.==============================================================Exploit
7.==============================================================Credits
1. Product
==========
XOOPS 2.0.5.1
2. Vendor
=========
http://www.xoops.org
3. Vulnerability
================
XSS vulnerability in module weblinks
4. About XOOPS
==============
XOOPS is a dynamic OO (Object Oriented) based open source portal
script written in PHP. XOOPS supports a number of databases, making
XOOPS an ideal tool for developing small to large dynamic community
websites, intra company portals, corporate portals, weblogs and much
more.
5. Details of vulnerability
===========================
The weblinks module contains a file named "myheader.php" in
/modules/mylinks/ directory. The code of the file is as follow :
---------------------------------
include "../../mainfile.php";
$url = $HTTP_GET_VARS['url'];
$lid = intval($HTTP_GET_VARS['lid']);
.
.
.
| href="modlink.php?lid="> |
_MD_REPORTBROKEN; ?> | _MD_TELLAFRIEND; ?> | Back to | target='_top' href="">Close Frame
.
.
-----------------------------------
The value for variable "url" is used in line
Close Frame
Thus an attacker can pass a javascript code as a value for variable
url and get it executed as soon as the victim clicks the "Close Frame"
link.
6. Exploit
==========
http://[target]/modules/mylinks/myheader.php?url=javascript:alert(docum
ent.cookie);
Clicking the above link, the victim gets directed to a page containing
a link "Close Frame" which is actually the javascript code inserted by
the attacker. The cookie revealed is quite informatic for the attacker
to login with the hijacked user (including admin) privileges.
7. Credits
==========
Chintan Trivedi - http://www.hackersprogrammers.com
"Eye on Security Research Group - India " - http://www.eos-india.net
Date: 15:44, domenica 21 dicembre 2003
From: Chintan Trivedi
To: bugtraq@securityfocus.com
====================================================================
Advisory by Eye On Security Research Group - India http://www.eos-india.net
====================================================================
1.==============================================================Product
2.===============================================================Vendor
3.========================================================Vulnerability
4.========================================================About Product
5.=============================================Details of vulnerability
6.==============================================================Exploit
7.==============================================================Credits
1. Product
==========
XOOPS 2.0.5.1
2. Vendor
=========
http://www.xoops.org
3. Vulnerability
================
XSS vulnerability in module weblinks
4. About XOOPS
==============
XOOPS is a dynamic OO (Object Oriented) based open source portal
script written in PHP. XOOPS supports a number of databases, making
XOOPS an ideal tool for developing small to large dynamic community
websites, intra company portals, corporate portals, weblogs and much
more.
5. Details of vulnerability
===========================
The weblinks module contains a file named "myheader.php" in
/modules/mylinks/ directory. The code of the file is as follow :
---------------------------------
include "../../mainfile.php";
$url = $HTTP_GET_VARS['url'];
$lid = intval($HTTP_GET_VARS['lid']);
.
.
.
| href="modlink.php?lid="> |
_MD_REPORTBROKEN; ?> | _MD_TELLAFRIEND; ?> | Back to |
.
.
-----------------------------------
The value for variable "url" is used in line
Close Frame
Thus an attacker can pass a javascript code as a value for variable
url and get it executed as soon as the victim clicks the "Close Frame"
link.
6. Exploit
==========
http://[target]/modules/mylinks/myheader.php?url=javascript:alert(docum
ent.cookie);
Clicking the above link, the victim gets directed to a page containing
a link "Close Frame" which is actually the javascript code inserted by
the attacker. The cookie revealed is quite informatic for the attacker
to login with the hijacked user (including admin) privileges.
7. Credits
==========
Chintan Trivedi - http://www.hackersprogrammers.com
"Eye on Security Research Group - India " - http://www.eos-india.net
2
Quote:
From manual :
You can optionally pass the assign attribute, which will specify a template variable name that the output of include_php will be assigned to instead of displayed.
In my PHP i have :
print "OOOO";
?>
But it isn't displayed on screen.
Can you help me with an example ?
Ciao,
Luca
From manual :
You can optionally pass the assign attribute, which will specify a template variable name that the output of include_php will be assigned to instead of displayed.
In my PHP i have :
print "OOOO";
?>
But it isn't displayed on screen.
Can you help me with an example ?
Ciao,
Luca
3
Hi,
i'm trying to get working include_php.
Here is my example used in theme.html
<{include file="default/aaa.html"}>
<{include_php file="default/aaa.php"}>
First include (no php) works, second doesn't work. Why ?
Ciao,
Luca
i'm trying to get working include_php.
Here is my example used in theme.html
<{include file="default/aaa.html"}>
<{include_php file="default/aaa.php"}>
First include (no php) works, second doesn't work. Why ?
Ciao,
Luca
Login
Search
Recent Posts
Who's Online
Donat-O-Meter
| Stats | |
| Goal: | AU$15.00 |
| Due Date: | Jul 31 |
| Gross Amount: | AU$0.00 |
| Net Balance: | AU$0.00 |
| Left to go: | AU$15.00 |
 |
|