| Kiki |
| Regular user |
 |
|
| Joined: Nov 13, 2005 |
| Posts: 7 |
| Location: Italy |
|
|
 |
|
 |
|
| Code: |
Siteframe Beaumont 5.0.1a <== Cross-Site Scripting Vulnerability
##########################
Information of Software:
Software: Siteframe Beaumont 5.0.1a
Site: http://www.siteframe.org/
Description of software: Siteframe is a lightweight content-management
system designed for the rapid deployment of community-based websites.
With Siteframe,a group of users can share stories and photographs, create blogs,
send email to one another, and participate in group activities.
##########################
Bug:
Siteframe contains a flaw that allows a remote cross site scripting attack.
The vulnerability is found in the search page and the user can modify the
function GET and insert the XSS code.
- http get request
http://[target]/search.php?q=casa
GET /search.php?q=casa
Host: siteframe.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it-IT; rv:1.7.12) Gecko/20050919 Firefox/1.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: it,it-it;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
but we can modify the request GET in this way:
http://[target]/search.php?q=[XSS]
GET /search.php?q=[XSS]
-------------------------
Example:
http://[target]/search.php?q=[XSS]
or a practical example:
http://[target]/search.php?q=<script>alert("lol");</script>
-------------------------
The bug is in this part of code of search.php :
[.....]
if (isset($_GET['q']))
{
$PAGE->assign('page_title', lang('page_title_search_results'));
$pattern = $_GET['q'];
$PAGE->assign('search_string', $_GET['q']);
// build query
$stext = new SearchText;
$q = sprintf(
$__QUERY,
addslashes($_GET['q']),
$stext->table_name(),
addslashes($_GET['q'])
);
$PAGE->assign('sql_query', $q);
[.....]
-------------------------
Patch:
It must insert the function htmlentities of the php in order to make that the variable one
comes leaked without being executed.
At the line 64 in search.php replace the string:
$PAGE->assign('search_string', $_GET['q']);
to:
$PAGE->assign('search_string', htmlentities($_GET['q']));
and save it
##########################
Credit:
Author: Kiki
e-mail: federico.sana@alice.it
web page: http://kiki91.altervista.org
##########################
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 131
Members: 0
Total: 131
