SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   php(Reactor) Vendors:   3WSI, eKilat LLC
php(Reactor) Web Site Software Allows Remote Users to Conduct Cross-Site Scripting Attacks to Steal Authentication Cookies
SecurityTracker Alert ID:  1004491
SecurityTracker URL:  http://securitytracker.com/id/1004491
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 8 2002
Impact:   Disclosure of authentication information, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.2.7 and prior versions
Description:   A cross-site scripting vulnerability has been reported in php(Reactor). A remote user can steal the authentication cookies of php(Reactor) users to access their accounts.

ALPER Research Labs reported that the 'comments' section of the 'browse.php' script allows a remote user to submit HTML containing malicious scripting code via the '$go' variable. The software apparently does not filter this user-supplied input.

A remote user can create a specially crafted malicious link that, when loaded by a target (victim) user, will cause the embedded malicious script to be executed by the target user's browser. The code will appear to originate from the site running php(Reactor) and will run in the security context of that site. As a result, the code will be able to access the target user's authentication cookies associated with that site.

With the target user's authentication cookies, the remote user can then gain access to the target user's account on php(Reactor).

A demonstration exploit example is provided:

http://[target]/comments/browse.php?fid=2&tid=4&go=<script>alert(document.cookie)</script>

Impact:   A remote user can cause arbitrary scripting code to be executed on a target user's browser when the target user views the affected web site. The code can then access the target user's authentication cookies associated with that site.
Solution:   The vendor has released a fixed version (1.2.7pl1), available at:

http://sourceforge.net/project/showfiles.php?group_id=12105&release_id=91877

Vendor URL:  phpreactor.org/articles/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Fixed Version is Still Vulnerable) Re: php(Reactor) Web Site Software Allows Remote Users to Conduct Cross-Site Scripting Attacks to Steal Authentication Cookies
A user reports that the fixed version is still vulnerable.



 Source Message Contents

Subject:  [ARL02-A12] PHP(Reactor) Cross Site Scripting Vulnerability




+/--------\-------- ALPER Research Labs ------/--------/+
+/---------\-------  Security Advisory  -----/---------/+
+/----------\------    ID: ARL02-A12    ----/----------/+
+/-----------\----- salper@olympos.org  ---/-----------/+


Advisory Information
--------------------
Name               : php(Reactor) Cross Site Scripting Vulnerability
Software Package   : php(Reactor)
Vendor Homepage    : http://phpreactor.org/
Vulnerable Versions: v1.2.7 and older
Platforms          : OS Independent, PHP
Vulnerability Type : Input Validation Error
Vendor Contacted   : 15/05/2002
Vendor Replied     : 15/05/2002
Prior Problems     : N/A
Current Version    : v1.2.7pl1 (immune)


Summary
-------
php(Reactor) is a set of integrated applications
focusing on user interaction. Included are articles,
content management, bbs/forums, polls, ecards, and
chat events. Administration is quick and easy with
a browser-based control panel.

A Cross Site Scripting vulnerability exists in
php(Reactor). This would allow a remote attacker
to send information to victims from untrusted web
servers, and make it look as if the information
came from the legitimate server.


Details
-------
The "browse.php", in the "comments" section does not
filter user input for $go variable. So any user may
craft a malicious link, and can gain information about
users, and even may get the login information of the
administrator.

Here's the proof-of-concept link example;
http://[target]/comments/browse.php?fid=2&tid=4&go=<script>alert
(document.cookie)</script>

Note that, the $fid and $tid variables should be integers.


Solution
--------
The vendor replied quickly, and has released a new version
on 28/05/2002, which can be downloaded at
http://sourceforge.net/project/showfiles.php?
group_id=12105&release_id=91877


Credits
-------
Discovered on 15, May, 2002 by
Ahmet Sabri ALPER <salper@olympos.org>
ALPER Research Labs.


References
----------
Product Web Page: http://www.phpreactor.org/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC