########################################## PopnupBlog index.php multiple variables XSS Vendor url:http://www.bluemooninc.biz/ Advisore:http://lostmon.blogspot.com/2008/08/ popnupblog-indexphp-multiple-variables.html Vendor notify:no exploits availables:yes ########################################## PopnupBlog contains a flaw that allows a remote cross site scripting attack.This flaw exists because the application does not validate 'param' , 'cat_id' and 'view' variables upon submission to 'index.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading loss ofintegrity. ########## versions ########## PopnupBlog 3.30 code name: Denali Prior versions can be vulnerables too. it affects This type CMS Systems if we have instaled this module: Xoops e-xoops ImpressCMS Bcoos and other that uses xoops code and this module. ############ Solution ############ No solution at this time !!! But you can edit the source code and ix it like: for fix 'param' open index.php and arround line 37 we have [code] $params = PopnupBlogUtils::getDateFromHttpParams(); $start = PopnupBlogUtils::getStartFromHttpParams(); $view = $BlogCNF['default_view']; $select_uid = isset($_GET['uid']) ? intval($_GET['uid']) : 0; [/code] add a line to force 'param' to return a integer: [code] $_GET['param'] = intval($_GET['param']); $params = PopnupBlogUtils::getDateFromHttpParams(); $start = PopnupBlogUtils::getStartFromHttpParams(); $view = $BlogCNF['default_view']; $select_uid = isset($_GET['uid']) ? intval($_GET['uid']) : 0; [/code] for fix 'cat_id' and 'view' open index.php and arround line 129 : [code] $xoopsTpl->assign('popimg',PopnupBlogUtils::mail_popimg()); // get email $cat_id=0; if (isset($_GET['cat_id'])) $cat_id = $_GET['cat_id']; if (isset($_POST['cat_id'])) $cat_id = $_POST['cat_id']; $xoopsTpl->assign('popnupblog', PopnupBlogUtils::get_blog_list($start,$cat_id,$select_uid)); if (isset($_GET['view'])) $view = $_GET['view']; if (isset($_POST['view'])) $view = $_POST['view']; [/code] add intval to force variables to return an integer like: [code] $xoopsTpl->assign('popimg',PopnupBlogUtils::mail_popimg()); // get email $cat_id=0; if (isset($_GET['cat_id'])) $cat_id = intval($_GET['cat_id']); if (isset($_POST['cat_id'])) $cat_id = intval($_POST['cat_id']); $xoopsTpl->assign('popnupblog', PopnupBlogUtils::get_blog_list($start,$cat_id,$select_uid)); if (isset($_GET['view'])) $view = intval($_GET['view']); if (isset($_POST['view'])) $view = intval($_POST['view']); [/code] ########### Examples ########### http://localhost/modules/popnupblog/index.php?param=1 ">[XSS-CODE]&start=0,10&cat_id=&view=1 http://localhost/modules/popnupblog/index.php?param= &start=0,10&cat_id=">[XSS-CODE]&view=1 http://localhost/modules/popnupblog/index.php?param= &start=0,10&cat_id=&view=1">[XSS-CODE] ############## €nd ################### Thnx To estrella to be my light Thnx to all Lostmon Team ! thnx to imydes From www.imydes.com -- atentamente: Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente....