Pligg Installation File XSS Vulnerability
Title: Pligg Installation File XSS Vulnerability
Vendor: Pligg
Product: Pligg CMS
Tested Version: 1.0.4
Threat Class: XSS
Severity: Medium
Remote: yes
Local: no
Discovered By: Andrei Rimsa Alvares
=3D=3D=3D=3D=3D Description =3D=3D=3D=3D=3D
Pligg is prone to a XSS vulnerability in the installation file: install/ins=
tall1.php. The variable "language" - obtained from an http request - can be=
manipulated to execute java script code via onmouseover like functions. Ev=
en with the two sanitizers used (strip_tags and addslashes) it is possible =
to bypass the double quote jail of the value field in the input tag by pass=
ing a double quote via the "language" variable.
----- install/install1.php -----
20:=20
----- install/install1.php -----
The sanitizer strip_tags prevents new tags to be used (like
) but it does not filter onmouseover type attacks. Addslashes inserts backs=
lashes to escape special characters like double quote=2C but since html doe=
s not process escape sequences this sanitizer is useless to prevent breakin=
g the double quote jail - regardless of magic_quotes is enabled or not.
=3D=3D=3D=3D=3D Impact =3D=3D=3D=3D=3D
Malicious java script code can be executed in the context of the affected w=
eb site.
=3D=3D=3D=3D=3D Proof of Concept =3D=3D=3D=3D=3D
A simple proof of concept demonstrating the double quote jail by passing is=
shown below. However=2C this attack is not exploitable because the input f=
ield is hidden.
http://target/install/install1.php?language=3D%22%20onmouseover=3Dalert()%3=
E
To overcome this limitation and provided a real case attack scenario=2C we =
used a technique obtained from [1]. This attack attempts to increase the ar=
ea of the affected input field to cover the whole screen. Once the mouse is=
moved anywhere on the screen=2C the onmouseover java script can be trigger=
ed to execute the malicious code. In this proof of concept=2C an alert cont=
aining the message "XSS" should be shown on the screen in case of mouse mov=
ement.
http://target/install/install1.php?language=3D%22%20style=3Da:b=3Bmargin-to=
p:-1000px=3Bmargin-left:-100px=3Bwidth:4000px=3Bheight:4000px=3Bdisplay:blo=
ck=3B%20onmouseover=3Dalert%28String.fromCharCode%2888=2C83=2C83%29%29=3B%3=
E
This attack venue exploited in this proof of concept had no effect on Googl=
e Chrome web browser=2C but was successfully exploited on Mozilla Firefox a=
nd others.
=3D=3D=3D=3D=3D Workaround =3D=3D=3D=3D=3D
Remove the installation directory after installation=2C as recommended duri=
ng installation.
=3D=3D=3D=3D=3D Disclosure Timeline =3D=3D=3D=3D=3D
June=2C 16 2010 - Vendor notification.
June=2C 22 2010 - Vendor replied but did not acknowledge the bug.
June=2C 22 2010 - New contact attempted to provide more details about the b=
ug.
July=2C 07 2010 - No vendor reply. Public disclosure.
=3D=3D=3D=3D=3D References =3D=3D=3D=3D=3D
1. http://www.packetstormsecurity.org/papers/bypass/workaround-xss.txt
2. http://www.pligg.com =20
_________________________________________________________________
Hotmail: Powerful Free email with security by Microsoft.
https://signup.live.com/signup.aspx?id=3D60969=
討論串 (同標題文章)