Pligg Installation File XSS Vulnerability
Title: Pligg Installation File XSS Vulnerability
Vendor: Pligg
Product: Pligg CMS
Tested Version: 1.0.4
Threat Class: XSS
Severity: Medium
Remote: yes
Local: no
Discovered By: Andrei Rimsa Alvares
=20
=3D=3D=3D=3D=3D Description =3D=3D=3D=3D=3D
=20
Pligg is prone to a XSS vulnerability in the installation file: install/ins=
tall1.php. The variable "language" - obtained from an http request - can be=
manipulated to execute java script code via onmouseover like functions. Ev=
en with the two sanitizers used (strip_tags and addslashes) it is possible =
to bypass the double quote jail of the value field in the input tag by pass=
ing a double quote via the "language" variable.
=20
----- install/install1.php -----
20: <input type=3D"hidden" name=3D"language" value=3D"<?php echo addslashe=
s(strip_tags($_REQUEST['language']))=3B ?>">
----- install/install1.php -----
=20
The sanitizer strip_tags prevents new tags to be used (like <script> and </=
script>) but it does not filter onmouseover type attacks. Addslashes insert=
s backslashes to escape special characters like double quote=2C but since h=
tml does not process escape sequences this sanitizer is useless to prevent =
breaking the double quote jail - regardless of magic_quotes is enabled or n=
ot.
=20
=3D=3D=3D=3D=3D Impact =3D=3D=3D=3D=3D
=20
Malicious java script code can be executed in the context of the affected w=
eb site.
=20
=3D=3D=3D=3D=3D Proof of Concept =3D=3D=3D=3D=3D
=20
A simple proof of concept demonstrating the double quote jail by passing is=
shown below. However=2C this attack is not exploitable because the input f=
ield is hidden.
=20
http://target/install/install1.php?language=3D%22%20onmouseover=3Dalert()%3=
E
=20
To overcome this limitation and provided a real case attack scenario=2C we =
used a technique obtained from [1]. This attack attempts to increase the ar=
ea of the affected input field to cover the whole screen. Once the mouse is=
moved anywhere on the screen=2C the onmouseover java script can be trigger=
ed to execute the malicious code. In this proof of concept=2C an alert cont=
aining the message "XSS" should be shown on the screen in case of mouse mov=
ement.
=20
http://target/install/install1.php?language=3D%22%20style=3Da:b=3Bmargin-to=
p:-1000px=3Bmargin-left:-100px=3Bwidth:4000px=3Bheight:4000px=3Bdisplay:blo=
ck=3B%20onmouseover=3Dalert%28String.fromCharCode%2888=2C83=2C83%29%29=3B%3=
E
=20
This attack venue exploited in this proof of concept had no effect on Googl=
e Chrome web browser=2C but was successfully exploited on Mozilla Firefox a=
nd others.
=20
=3D=3D=3D=3D=3D Workaround =3D=3D=3D=3D=3D
=20
Remove the installation directory after installation=2C as recommended duri=
ng installation.
=20
=3D=3D=3D=3D=3D Disclosure Timeline =3D=3D=3D=3D=3D
=20
June=2C 16 2010 - Vendor notification.
June=2C 22 2010 - Vendor replied but did not acknowledge the bug.
June=2C 22 2010 - New contact attempted to provide more details about the b=
ug.
July=2C 07 2010 - No vendor reply. Public disclosure.
=20
=3D=3D=3D=3D=3D References =3D=3D=3D=3D=3D
=20
1. http://www.packetstormsecurity.org/papers/bypass/workaround-xss.txt
2. http://www.pligg.com =20
_________________________________________________________________
Hotmail: Powerful Free email with security by Microsoft.
https://signup.live.com/signup.aspx?id=3D60969=
討論串 (同標題文章)