TUCoPS :: Web :: CMS / Portals :: hack3661.htm

e107 web portal user.php XSS (Cross Site Scripting)
e107 web portal user.php XSS (Cross Site Scripting) 



-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



-------------------------------------------------

R.A.M Security Advisory

-------------------------------------------------

http://www.ramsecurity.us 

-------------------------------------------------

Severity: Medium

Title: e107 web portal user.php xss

Date: May 21, 2004

-------------------------------------------------



  Synopsis:



 All versions of e107 have a vulnerability that

allows javascript or html content in user.php.





  Description:



 All versions of e107 have a vulnerability that

allows xss or html tags and content to be posted to the

Website URL for a member.



 The Problem lies within the usersettings.php

which does not parse < > ( ) tags thus allowing any

user to insert a javascript or html. The problem is

in user.php where the information is displayed. When someone updates their url, AIM or MSN field with malicious content it is displayed without being correctly parsed. Here is an example of how the input might be crafted: 



URL field:

http://www.mysiteurl.com/<script>alert(document.cookie)</script >



AIM/MSN field: <script>alert(document.cookie)</script>



Now whenever a user visits that members profile they

will get a javascript popup with their cookie

information while the link will just show:



http://www.mysiteurl.com/ 



and when the link is clicked on it will take the user

to mysiteurl.com.



  Impact:



 This may lead to cookie information being

stolen or other such xss attacks.

 

  Solution:



edit user.php from lines 233 to 261 to read. Remove spaces in the replace string so that & lt ; etc will form one word:



 ";

$source = $user_aim;

//check for bad input and convert it to ISO-8859-1

$bad =  array("<",">","(",")");

$replace = array("& lt ;","& gt ;","& #40 ;","& #41 ;");

 $user_aim = str_replace($bad, $replace, $source);

foreach($user_aim as $aim) {

$user_aim = $aim;

}

$str .= "

                

                        
  ".LAN_116."".($user_aim ? $user_aim : "".LAN_401."")."


                



                 ";

$source = $user_msn;

$user_msn = str_replace($bad, $replace, $source);

foreach($user_msn as $msn) {

$user_msn = $msn;

}

$str .= "

                
  ".LAN_117."".($user_msn ? $user_msn : "".LAN_401."")."


                 ";

$source = $user_homepage;

$user_homepage = str_replace($bad, $replace, $source);

foreach($user_homepage as $homepage) {

$user_homepage = $homepage;

}

$str .= "



-----BEGIN PGP SIGNATURE-----

Version: PGPfreeware 6.5.8 for non-commercial use  



iQA/AwUBQK8GK9X3ZZExQKX/EQLyOACg5TX3vqGnXlJpv6sWjkmPTkldG3EAn244

2fdinygjzW7EPp6Fve50QiKe

=MNjB

-----END PGP SIGNATURE-----

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH