woltlabcf-xss.txt

woltlabcf-xss.txt: Posted Apr 8, 2008; Authored by Jessica Hope; WoltLab Community Framework versions 1.0.6 and below suffer from cross site scripting and full path disclosure vulnerabilities.; tags | advisory, vulnerability, xss; SHA-256 | 584022810e4cd0c09aabfc52e6219dea274419a25a0ae2e065ee19128ad91aae; Download | Favorite | View

woltlabcf-xss.txt

======================================================================

Advisory : WoltLab(R) Community Framework XSS and Full Path Disclosure
Vulnerability
Release Date :
Application : WoltLab(R) Community Framework
Version : WCF 1.0.6 and lower
Platform : PHP
Vendor URL : http://community.woltlab.com/
Authors : Jessica Hope ( jessicasaulhope@googlemail.com )


=======================================================================

Overview

Due to various failures in sanitising user input, it is possible to
construct XSS attacks and path disclosure.

=======================================================================

Discussion

Full Path Disclosure via "page", "form", etc. Parameters:

WCF based applications use a factory pattern to load and instantiate the class
appropriate for the current page based on user input. If the user submits data
not resolving to a valid class, the exception handler adds the whole stacktrace
- including the full path - into an HTML comment.

XSS via "page", "form", etc. Parameters:

The aforementioned trace includes the user submitted parameter as function
argument and is left un-escaped. This opens a potential XSS issue.


=======================================================================

Solution

At this time there is no vendor patch. Vendor in question lacks a public way to
contact them with relation to a security vulnerability.

The suggested solution is to not expose sensitive information (full paths) and
un-escaped user input in comments.

Vendor should also publish an e-mail address or other way to contact them with
such issues so that full-disclosure can be avoided before vendor notification.

Ongoing research into other products Woltlab GmbH produces is pending. Future
vulnerabilities will be posted to full disclosure as they are found unless the
vendor wishes to provide such contact info publicly.


=======================================================================

History:


08th April 2008: Full disclosure


=======================================================================

Credit

This issue is to be credited to Jessica Hope ( jessicasaulhope@googlemail.com )

Top Authors In Last 30 Days

Red Hat 219 files
indoushka 83 files
Ubuntu 79 files
Gentoo 36 files
Jasper Nota 25 files
Willem Westerhof 19 files
Debian 18 files
Jim Blankendaal 11 files
Martijn Baalman 9 files
Apple 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,096)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,567)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,707)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,485)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,737)
UNIX (9,435)
UnixWare (187)
Windows (6,672)
Other

woltlabcf-xss.txt

woltlabcf-xss.txt

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

woltlabcf-xss.txt

Share This

woltlabcf-xss.txt

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems