php(Reactor) Web Site Software Allows Remote Users to Conduct Cross-Site Scripting Attacks to Steal Authentication Cookies
SecurityTracker Alert ID: 1004491|
SecurityTracker URL: http://securitytracker.com/id/1004491
(Links to External Site)
Date: Jun 8 2002
Disclosure of authentication information, Execution of arbitrary code via network, User access via network|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): 1.2.7 and prior versions|
A cross-site scripting vulnerability has been reported in php(Reactor). A remote user can steal the authentication cookies of php(Reactor) users to access their accounts.|
ALPER Research Labs reported that the 'comments' section of the 'browse.php' script allows a remote user to submit HTML containing malicious scripting code via the '$go' variable. The software apparently does not filter this user-supplied input.
A remote user can create a specially crafted malicious link that, when loaded by a target (victim) user, will cause the embedded malicious script to be executed by the target user's browser. The code will appear to originate from the site running php(Reactor) and will run in the security context of that site. As a result, the code will be able to access the target user's authentication cookies associated with that site.
With the target user's authentication cookies, the remote user can then gain access to the target user's account on php(Reactor).
A demonstration exploit example is provided:
A remote user can cause arbitrary scripting code to be executed on a target user's browser when the target user views the affected web site. The code can then access the target user's authentication cookies associated with that site.|
The vendor has released a fixed version (1.2.7pl1), available at:|
Vendor URL: phpreactor.org/articles/ (Links to External Site)
Input validation error|
|Underlying OS: Linux (Any), UNIX (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: [ARL02-A12] PHP(Reactor) Cross Site Scripting Vulnerability|
+/--------\-------- ALPER Research Labs ------/--------/+
+/---------\------- Security Advisory -----/---------/+
+/----------\------ ID: ARL02-A12 ----/----------/+
+/-----------\----- email@example.com ---/-----------/+
Name : php(Reactor) Cross Site Scripting Vulnerability
Software Package : php(Reactor)
Vendor Homepage : http://phpreactor.org/
Vulnerable Versions: v1.2.7 and older
Platforms : OS Independent, PHP
Vulnerability Type : Input Validation Error
Vendor Contacted : 15/05/2002
Vendor Replied : 15/05/2002
Prior Problems : N/A
Current Version : v1.2.7pl1 (immune)
php(Reactor) is a set of integrated applications
focusing on user interaction. Included are articles,
content management, bbs/forums, polls, ecards, and
chat events. Administration is quick and easy with
a browser-based control panel.
A Cross Site Scripting vulnerability exists in
php(Reactor). This would allow a remote attacker
to send information to victims from untrusted web
servers, and make it look as if the information
came from the legitimate server.
The "browse.php", in the "comments" section does not
filter user input for $go variable. So any user may
craft a malicious link, and can gain information about
users, and even may get the login information of the
Here's the proof-of-concept link example;
Note that, the $fid and $tid variables should be integers.
The vendor replied quickly, and has released a new version
on 28/05/2002, which can be downloaded at
Discovered on 15, May, 2002 by
Ahmet Sabri ALPER <firstname.lastname@example.org>
ALPER Research Labs.
Product Web Page: http://www.phpreactor.org/