[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] XSS bug in JAWS gadget Glossary (0.4-latestbeta (beta 2))

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] XSS bug in JAWS gadget Glossary (0.4-latestbeta (beta 2))
From: "nah@xxxxxxxxxx" <nah@xxxxxxxxxx>
Date: Mon, 18 Apr 2005 17:51:13 -0700

Small XSS Bug in JAWS gadget: Glossary all versions vulnerable 0.3 - 0.5 latest beta (beta2)

STATUS: The vendor has been contacted and they fixed the bug but they havent released an official patch yet. (You can find a provisional patch at the end of the file)

TECHNICAL INFO ================================================================ The Glossary gadget doesn't filter dangerous characters in the process of adding a new word to the glossary, allowing the instertion of items from "<script>alert(document.cookie)</script> to more complex code". Futhermore, the theft of cookies and escalade of permissions ( in the case of someone with lower access than you inserts malicious code and tries to steal your access )

VULNERABLE VERSIONS
- --------------------------------------------------------------
0.4-LATEST BETA (2)

FIX
------------------------------------------------------------------

Replace the NewTerm function in GlossaryModel.php
for this new one.

/**
       * Adds a new term
       *
       * @acess   public
       * @param   string  $term Term
       * @param   string  $desc Term's description
       * @return  boolean Returns true if term was added
       */
      function NewTerm ($term, $desc)
      {
              //xss fix
              if(stristr($term, "<") || stristr($term, ">"))
                      $term = strip_tags($term);
              if(stristr($desc, "<") || stristr($desc, ">"))
                      $desc = strip_tags($desc);

$sql = "INSERT INTO [[term]] (term, description, createtime, updatetime) VALUES ({term},{desc},NOW(),NOW())"; $rs = $GLOBALS["app"]->DB->Execute ($sql, array ("term" => $term, "desc" => $desc));

if ($rs) { $GLOBALS["session"]->PushLastResponse (_t("GLOSSARY_TERM_ADDED"), RESPONSE_NOTICE); return true; } else { $GLOBALS["session"]->PushLastResponse (_t("GLOSSARY_ERROR_TERM_NOT_CREATED"), RESPONSE_ERROR); return new JawsError (_t("GLOSSARY_ERROR_TERM_NOT_CREATED"), _t("GLOSSARY_NAME")); } }

----------------------------------------------------------
Contact information
:Paulino Calderon
:nah@xxxxxxxxxx
:http://suckea.com/nah/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] [VulnWatch] [AppSecInc Team SHATTER Security Advisory] SQL Injection in ALTER_MANUALLOG_CHANGE_SOURCE procedure[Scanned]
Next by Date: [Full-disclosure] WheresJames Webcam Publisher Bof + POC [Haxorcitos]
Previous by thread: [Full-disclosure] [VulnWatch] [AppSecInc Team SHATTER Security Advisory] SQL Injection in ALTER_MANUALLOG_CHANGE_SOURCE procedure[Scanned]
Next by thread: [Full-disclosure] WheresJames Webcam Publisher Bof + POC [Haxorcitos]
Index(es):
- Date
- Thread