---------------------------------------------------------------------- SNS Advisory No.85 XOOPS Multiple Cross-site Scripting Vulnerabilities Problem first discovered on: Sun, 25 Sep 2005 Published on: Tue, 25 Oct 2005 ---------------------------------------------------------------------- Severity Level: --------------- Medium Overview: --------- Software XOOPS for building community websites contains multiple cross-site scripting vulnerabilities. Problem Description: -------------------- XOOPS is software for building community websites written in PHP. XOOPS is provided with the specific tag called "XOOPS Code" that allows to register text with font attributes or images without HTML tag for modules including private message and forum. Flaw exists in a part of sanitizing processes when converting "XOOPS Code" into HTML tag. Therefore, it is possible to register text with arbitrary script for "XOOPS Code" available modules. In addition, another flaw also exists only for forum module(newbb) and it makes possible to submit text including arbitrary script to a forum. If the vulnerabilities are exploited, attacker's script might be executed when displaying a private message or a submitted message for the forum. In this incident, users might be suffered from session hijack and the screen could be manipulated freely by attackers after the users logging in. Affected Versions: ------------------ XOOPS 2.0.12 JP and prior versions XOOPS 2.0.13.1 and prior versions XOOPS 2.2.3 RC1 and prior versions Solution: --------- The vulnerabilities can be fixed by updating the software to any version later than XOOPS 2.0.13 JP. http://xoopscube.jp/modules/documents/index.php?id=1 Discovered by: -------------- Keigo Yamazaki (LAC) Thanks to: ---------- This SNS Advisory is being published in coordination with Information-technology Promotion Agency, Japan (IPA) and JPCERT/CC. http://jvn.jp/jp/JVN%2377105349/index.html http://www.ipa.go.jp/security/vuln/documents/2005/JVN_77105349_XOOPS.html Disclaimer: ----------- The information contained in this advisory may be revised without prior notice and is provided as it is. Users shall take their own risk when taking any actions following reading this advisory. LAC Co., Ltd. shall take no responsibility for any problems, loss or damage caused by, or by the use of information provided here. This advisory can be found at the following URL: http://www.lac.co.jp/business/sns/intelligence/SNSadvisory_e/85_e.html ----------------------------------------------------------------------