exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

props061.txt

props061.txt
Posted May 4, 2004
Authored by Manuel Lopez

Props version 0.6.1 is susceptible to cross site scripting attack and allows an attacker the ability to see any file on the system due to flaws in glossary.php.

tags | advisory, php, xss
SHA-256 | f598b9ed8a7b6ff22759af3b10826567272decde5f2a0302648d6e96d89ddcee

props061.txt

Change Mirror Download
#Title: Props 0.6.1 XSS and Remote File Viewing Vulnerability. 

#Software: Props 0.6.1
#Vendor: http://props.sourceforge.net/
#Platform: PHP4 and MySQL


#Description:

PROPS is an open, extensible Internet publishing system designed
specifically for periodicals

such as newspapers and magazines who want to publish online, either
exclusively or as an

extension of their print publication.




#Vulnerabilities:

A flaw in lib/glossary.php discloses files on the system to Remote Users.
The function do_search() let Remote Users conduct Cross-Site scripting
attacks.




#Remote File Viewing#

A remote user can request a crafted URL to view files on the system.
The problem is in the function glossary_init() in lib/glossary.php.




#Example:

/?module=../config&format=php

This url shows you the php source of config.php (depending on the structure
of directories, it is only an example)




·.This is the vulnerable code:

function glossary_init() {

global $GLOSSARY, $MIME_TYPES, $HTTP_SERVER_VARS;

$GLOSSARY = array();

if (get_form_field("module") != "")
glossary_set("module", get_form_field("module"));
else
glossary_set("module", "displaysection");

if (get_form_field("section_id"))
glossary_set("section_id", intval(get_form_field("section_id")));
else
glossary_set("section_id", FRONTPAGE_SECTION_ID);

if (get_form_field("format") != "")
glossary_set("format", get_form_field("format"));
else
glossary_set("format", "html");

if (get_form_field("alternate_template_suffix") != "")
glossary_set("alternate_template_suffix",

get_form_field("alternate_template_suffix"));

if (get_form_field("edition_id") != "")
glossary_set("edition_id", intval(get_form_field("edition_id")));
else
glossary_set("edition_id", current_edition());

glossary_set("mime_type", $MIME_TYPES[glossary_get("format")]);

glossary_set("request_uri", $HTTP_SERVER_VARS["REQUEST_URI"]);
}


The function does not sanitize the $module and $format variables. A possible
solution can be to filter these variables against directory transversal and
format attack.




#Cross-Site Scripting#

archives/lib/do_search.php

The function do_search() does not sanitize properly. An XSS attack is
possible in $search_string.




#Example:

/?module=archives&op=search&search_string="><script>alert()</script>



·.Vulnerable code:

$search_string = get_form_field("search_string");
$search_string = ereg_replace("[;]", "", $search_string);
$search_string = addslashes($search_string);
glossary_set("search_string", $search_string);




#SOLUTIONS:

CVS has been updated and version 0.6.2 of props has been released. It also
contains some other small bug fixes.

For those that want to patch by hand, you need to make a total of 3 changes
to two files:


1. In props/lib/glossary.php change line 36 to:

glossary_set("module", ereg_replace("[^_a-zA-Z0-9]", "",
get_form_field("module")));


2. In props/lib/glossary.php replace lines 47-52 with:

// Default format is HTML
if (get_form_field("format") != "") {

// Make sure this output format is defined in config.php
if (array_key_exists(get_form_field("format"), $MIME_TYPES))
glossary_set("format", get_form_field("format"));
else
die ("Invalid format");

} else
glossary_set("format", "html");


3. In props/modules/archives/do_search.php change line 27 to:

$search_string = ereg_replace("[^_a-zA-Z0-9.,]", "", $search_string);


Version 0.6.2 of props available on the sourceforge.net website has these
changes and you can upgrade via your normal methods if you don't want to
patch by hand.

http://sourceforge.net/project/showfiles.php?group_id=29581

Thanks to Blake Girardot the vulnerabilities are now fixed.


#Credits:

Manuel Lopez, mantra@gulo.org
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close