|
[MajorSecurity #19] AutoRank <= 5.01 - Multiple XSS and cookie disclosure=0D
------------------------------------------------------------=0D
=0D
Software: AutoRank=0D
=0D
Version: <=5.01=0D
=0D
Type: Cross site scripting =0D
=0D
Discovery Date: June, 23th 2006=0D
=0D
Made public: July, 2nd 2006 =0D
=0D
Vendor: JMB SOFTWARE=0D
=0D
Page: http://www.jmbsoft.com/=0D
=0D
Rated as: Low Risk=0D
=0D
Credits:=0D
----------------------------------------------=0D
Discovered by: David "Aesthetico" Vieira-Kurz=0D
http://www.majorsecurity.de=0D
=0D
Original Advisory:=0D
----------------------------------------------=0D
http://www.majorsecurity.de/advisory/major_rls19.txt=0D
=0D
Affected Products:=0D
----------------------------------------------=0D
AutoRank PHP 3.02 and prior=0D
AutoRank Pro 5.01 and prior=0D
=0D
Contacted Vendor:=0D
----------------------------------------------=0D
I have contacted the vendor on June, 25th 2006 at 12:25 PM via e-mail.=0D
The vendor replied to my e-mail on June, 26th 2006, but there's still no fix available.=0D
A copy of the e-mail is attached as screenshoot at the end of this text.=0D
=0D
Description:=0D
----------------------------------------------=0D
AutoRank PHP is our next generation toplist software, written completely in PHP and backed by a MySQL database.=0D
AutoRank Professional is a complete top list software package. =0D
It will keep a database of accounts, and the account holders can then send hits to your site.=0D
=0D
Requirements:=0D
----------------------------------------------=0D
register_globals = On=0D
=0D
Vulnerability:=0D
----------------------------------------------=0D
Input passed to the "Keyword" parameter in "search.php" and "Username" parameter in "main.cgi" isn't properly sanitised before being returned to the user.=0D
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.=0D
=0D
=0D
Solution(Against XSS-attacks):=0D
----------------------------------------------=0D
Edit the source code to ensure that input is properly sanitised.=0D
You should work with "htmlspecialchars()" or "strip_tags()" php-function to ensure that html tags=0D
are not going to be executed.=0D
=0D
Example:=0D
=0D
=0D
Set "register_globals" to "Off".=0D
=0D
Screenshoots:=0D
----------------------------------------------=0D
http://majorsecurity.de/advisory/AutoRank.JPG=0D
http://majorsecurity.de/advisory/jmb_reply.JPG=0D
=0D
=0D
=0D
=0D
=0D