SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   WebSight Directory System Vendors:   Koopmanschap, Stefan
WebSight Directory System Allows Remote Users to Conduct Cross-Site Scripting Attacks Against Directory Users
SecurityTracker Alert ID:  1003892
SecurityTracker URL:  http://securitytracker.com/id/1003892
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 25 2002
Impact:   Disclosure of authentication information, Execution of arbitrary code via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 0.1
Description:   A vulnerability was reported in the WebSight Directory System portal software. A remote user can conduct cross-site scripting attacks against other portal administrators.

It is reported that a remote user can submit a proposed new link for approval by an administrator. The user-supplied input is apparently not filtered or checked for HTML code. As a result, a remote user can submit a link that includes malicious javascript so that when the administrator checks the link submissions, the code will execute in the administrator's browser. The code will appear to originate from the web site and will run in the security context of that site. The code will be able to access the administrator's cookies and other sensitive information associated with that site.

The following demonstration exploit steps are provided:

Enter the following as website name when submitting a new link (one line):

Example<script>bad=window.open("http://example.com/portal/administration/
userman.php?uname=black&newpass=hat&submituser=ok", "bad",
"width=1,height=1");bad.close();</script>

Impact:   A remote user can cause arbitrary code to be executed by the administrator's browser when the administrator views new link submissions. The code may be able to steal the administrator's cookies and other information associated with the web site.
Solution:   The vendor has released a fixed version (0.1.1), available at:

http://sourceforge.net/project/showfiles.php?group_id=13794&release_id=81154

Vendor URL:  websight.sourceforge.net (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Underlying OS Comments:  PHP-based and MySQL-based

Message History:   None.


 Source Message Contents

Subject:  WebSight Directory System: cross-site-scripting bug


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ppp-design found the following cross-site-scripting bug in WebSight
Directory System:


Details
- -------
Product: WebSight Directory System
Affected Version: 0.1
Immune Version: 0.1.1
OS affected: all OS with php and mysql
Vendor-URL: http://sourceforge.net/projects/websight
Vendor-Status: informed
Security-Risk: medium - high
Remote-Exploit: Yes


Introduction
- ------------
This is what the author tells us: "WebSight is a portal/directory system
in the same vein as the Open Directory Project, Yahoo! or any of the
ther big webportals. Originally created as the portal/directory system
or the Electronic Music World website, now available as open source."
Unfortunately the script does not check for any malicious code, so it is
possible to use cross-side-scripting to get an admin account.


More details
- ------------
When a user submits a new link (for approving by an admin), none of the
inputs is checked for malicious code. So a possible blackhat is able to
insert some javascript stuff here, which is executed when an admin
checks the submitted data.


Proof-of-concept
- ----------------
Enter the following as website name when submitting a new link (one line):

Example<script>bad=window.open("http://example.com/portal/administration/
userman.php?uname=black&newpass=hat&submituser=ok", "bad",
"width=1,height=1");bad.close();</script>

This will open a small popup when the admin checks the new submitting
which is closed directly after opening. After checking the new
submitting, a new admin named "black" with password "hat" is generated,
so the blackhat can easily login as an admin and do everything he wants to.


Temporary-fix
- -------------
Admins could disable Javascript but because there are still other
possiblilities to enter malicious code, this will only stop this
proof-of-concept from working.


Fix
- ---
Use version 0.1.1 or later.


Security-Risk
- -------------
The author claims the software being beta and not for using in
production enviroments. On the other hand it is used at (and developed
for) http://portal.electronicmusicworld.com, so we decide to rate the
risk medium - high.


Vendor status
- -------------
The author reacted in a very deserving way. After less than 10 hours
there is a new version avaiable which filters mailicious code now.


Disclaimer
- ----------
All information that can be found in this advisory is believed to be
true, but maybe it isn't. ppp-design can not be held responsible for the
use or missuse of this information. Redistribution of this text is only
permitted if the text has not been altered and the original author
ppp-design (http://www.ppp-design.de) is mentioned.

This advisory can be found online at:
http://www.ppp-design.de/advisories.php


- --
ppp-design
http://www.ppp-design.de
Public-Key: http://www.ppp-design.de/pgp/ppp-design.asc
Fingerprint: 5B02 0AD7 A176 3A4F CE22  745D 0D78 7B60 B3B5 451A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE8n1rADXh7YLO1RRoRAievAKDWHv62jIRZxW4aL9hUD0Zx8VgCLwCglQN2
q8KoC3GjeAgbc77JPHyc73o=
=wpm6
-----END PGP SIGNATURE-----


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC