Professional Webmasters Community
Would you like to react to this message? Create an account in a few clicks or log in to continue.
Professional Webmasters Community

your are free to explore your reviews, thoughts, suggestion and guidelines on every online tech talk.


PopnupBlog index.php multiple variables XSS

Professional Webmasters Community :: Webmaster Speak :: Tech Talk

Go down

PopnupBlog index.php multiple variables XSS Empty PopnupBlog index.php multiple variables XSS

Post  andry Mon Sep 27, 2010 3:55 am

##########################################
PopnupBlog index.php multiple variables XSS
Vendor url:http://www.bluemooninc.biz/
Vendor notify:no exploits availables:yes
##########################################

PopnupBlog contains a flaw that allows a remote
cross site scripting attack.This flaw exists because
the application does not validate 'param' , 'cat_id' and
'view' variables upon submission to 'index.php' script.
This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading loss ofintegrity.

##########
versions
##########

PopnupBlog 3.20 code name: Denali

Prior versions can be vulnerables too.
it affects This type CMS Systems if we
have instaled this module:

Xoops
e-xoops
ImpressCMS
Bcoos

and other that uses xoops code and this module.

############
Solution
############

No solution at this time !!!

But you can edit the source code and ix it like:

for fix 'param' open index.php and arround line 37 we have

Code:

$params = PopnupBlogUtils::getDateFromHttpParams();
$start = PopnupBlogUtils::getStartFromHttpParams();
$view = $BlogCNF['default_view'];
$select_uid = isset($_GET['uid']) ? intval($_GET['uid']) : 0;

add a line to force 'param' to return a integer:

Code:

$_GET['param'] = intval($_GET['param']);
$params = PopnupBlogUtils::getDateFromHttpParams();
$start = PopnupBlogUtils::getStartFromHttpParams();
$view = $BlogCNF['default_view'];
$select_uid = isset($_GET['uid']) ? intval($_GET['uid']) : 0;

for fix 'cat_id' and 'view' open index.php and arround line 129 :

Code:

$xoopsTpl->assign('popimg',PopnupBlogUtils::mail_popimg()); // get email
$cat_id=0;
if (isset($_GET['cat_id'])) $cat_id = $_GET['cat_id'];
if (isset($_POST['cat_id'])) $cat_id = $_POST['cat_id'];
$xoopsTpl->assign('popnupblog', PopnupBlogUtils::get_blog_list($start,$cat_id,$select_uid));
if (isset($_GET['view'])) $view = $_GET['view'];
if (isset($_POST['view'])) $view = $_POST['view'];

add intval to force variables to return an integer like:

Code:

$xoopsTpl->assign('popimg',PopnupBlogUtils::mail_popimg()); // get email
$cat_id=0;
if (isset($_GET['cat_id'])) $cat_id = intval($_GET['cat_id']);
if (isset($_POST['cat_id'])) $cat_id = intval($_POST['cat_id']);
$xoopsTpl->assign('popnupblog', PopnupBlogUtils::get_blog_list($start,$cat_id,$select_uid));
if (isset($_GET['view'])) $view = intval($_GET['view']);
if (isset($_POST['view'])) $view = intval($_POST['view']);

###########
Examples
###########

http://localhost/modules/popnupblog/index.php?param=1
">[XSS-CODE]&start=0,10&cat_id=&view=1

http://localhost/modules/popnupblog/index.php?param=
&start=0,10&cat_id=">[XSS-CODE]&view=1

http://localhost/modules/popnupblog/index.php?param=
&start=0,10&cat_id=&view=1">[XSS-CODE]


############## €nd ###################
andry
andry
Moderator
Moderator

Posts : 467
Join date : 2010-05-07

Back to top Go down

Back to top

- Similar topics

Professional Webmasters Community :: Webmaster Speak :: Tech Talk

 
Permissions in this forum:
You cannot reply to topics in this forum