Kshop module search variable and field remote XSS
Page 1 of 1
Kshop module search variable and field remote XSS
##########################################
Kshop module search variable&field remote XSS
Vendor url:http://www.kaotik.biz/
Vendor notify:no exploit available:YES
##########################################
Kshop is a E-commerce php/Mysql script module for
multiple CMS Systems like Xoops,e-xoops,bcoos and
impressCMS and probably in all CMS based in Xoops code.
Kshop contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the
application does not validate 'Search' variable and
search form field include in this module upon
submission to 'kshop_search.php' script in Kshop module.
This could allow a user to create a specially crafted form
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading loss of integrity.
#################
Versions
################·
Kshop module 2.22
i make a test with ImpressCMS
and this CMS in kshop module
have version 2.23 ????
it´s posible that prior versions
are affected too.
it affects This type CMS Systems if we
have instaled this module:
Xoops
e-xoops
ImpressCMS
Bcoos
and other that uses xoops code and this module.
###################
Solution
###################
At this moment ,no have solution...
but you can make a simple patch ,open kshop_search.php
inside kshop module folder arround line 45 you have
Happy patch !!!
###################
Proof of Concept.
###################
This Issue could not exploit directly by URL
because the form field have a limitation of 20 chars
and we need a POST to exploit ,for that we can´t exploit
directly by url because it is a GET and we need a POST.
This is not a problem, we can make a form with the POST
and without any restriction in the form field for Exploit it
put some javascript or html code in the form field
Example: "><script>alert()</script>
its necesary that you put "> before the code.
<form action="http://[victim]/modules/kshop/kshop_search.php" method="POST">
<input type="text" name="search" value="Put your XSS Here !!!">
<input type="image" src="http://www.spymac.com/upload/2007/01/18/OQxsPeTzFN.gif"></form>
############## €nd ###################
Kshop module search variable&field remote XSS
Vendor url:http://www.kaotik.biz/
Vendor notify:no exploit available:YES
##########################################
Kshop is a E-commerce php/Mysql script module for
multiple CMS Systems like Xoops,e-xoops,bcoos and
impressCMS and probably in all CMS based in Xoops code.
Kshop contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the
application does not validate 'Search' variable and
search form field include in this module upon
submission to 'kshop_search.php' script in Kshop module.
This could allow a user to create a specially crafted form
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading loss of integrity.
#################
Versions
################·
Kshop module 2.22
i make a test with ImpressCMS
and this CMS in kshop module
have version 2.23 ????
it´s posible that prior versions
are affected too.
it affects This type CMS Systems if we
have instaled this module:
Xoops
e-xoops
ImpressCMS
Bcoos
and other that uses xoops code and this module.
###################
Solution
###################
At this moment ,no have solution...
but you can make a simple patch ,open kshop_search.php
inside kshop module folder arround line 45 you have
- Code:
$xoopsTpl->assign('searchTerm',$_POST['search']);
you can use strip_tags() PHP function , like:
$xoopsTpl->assign('searchTerm',strip_tags($_POST['search']));
now it´s patched , because this remove all tags in the search variable.
or you can use htmlentities() PHP function for patch much more clean like :
$xoopsTpl->assign('searchTerm',htmlentities($_POST['search']));
or ,much moore restrictive:
$xoopsTpl->assign('searchTerm',htmlspecialchars($_POST['search']));
Happy patch !!!
###################
Proof of Concept.
###################
This Issue could not exploit directly by URL
because the form field have a limitation of 20 chars
and we need a POST to exploit ,for that we can´t exploit
directly by url because it is a GET and we need a POST.
This is not a problem, we can make a form with the POST
and without any restriction in the form field for Exploit it
put some javascript or html code in the form field
Example: "><script>alert()</script>
its necesary that you put "> before the code.
<form action="http://[victim]/modules/kshop/kshop_search.php" method="POST">
<input type="text" name="search" value="Put your XSS Here !!!">
<input type="image" src="http://www.spymac.com/upload/2007/01/18/OQxsPeTzFN.gif"></form>
############## €nd ###################
andry- Moderator
- Posts : 467
Join date : 2010-05-07
Similar topics
» Wowd search client multiple variable xss
» A novel apache module for containing web-based malware infections
» Microsoft DirectShow (msvidctl.dll) MPEG-2 Memory Corruption - Metasploit exploit module
» DHCart Multiple variable XSS and stored XSS
» Yogurt Social Network fans.php uid variable XSS
» A novel apache module for containing web-based malware infections
» Microsoft DirectShow (msvidctl.dll) MPEG-2 Memory Corruption - Metasploit exploit module
» DHCart Multiple variable XSS and stored XSS
» Yogurt Social Network fans.php uid variable XSS
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum
|
|