SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   php(Reactor) Vendors:   3WSI, eKilat LLC
(Fixed Version is Still Vulnerable) Re: php(Reactor) Web Site Software Allows Remote Users to Conduct Cross-Site Scripting Attacks to Steal Authentication Cookies
SecurityTracker Alert ID:  1005132
SecurityTracker URL:  http://securitytracker.com/id/1005132
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 24 2002
Impact:   Disclosure of authentication information, Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 1.2.7 and prior versions
Description:   A cross-site scripting vulnerability has been reported in php(Reactor). A remote user can steal the authentication cookies of php(Reactor) users to access their accounts.

ALPER Research Labs reported that the 'comments' section of the 'browse.php' script allows a remote user to submit HTML containing malicious scripting code via the '$go' variable. The software apparently does not filter this user-supplied input.

A remote user can create a specially crafted malicious link that, when loaded by a target (victim) user, will cause the embedded malicious script to be executed by the target user's browser. The code will appear to originate from the site running php(Reactor) and will run in the security context of that site. As a result, the code will be able to access the target user's authentication cookies associated with that site.

With the target user's authentication cookies, the remote user can then gain access to the target user's account on php(Reactor).

A demonstration exploit example is provided:

http://[target]/comments/browse.php?fid=2&tid=4&go=<script>alert(document.cookie)</script>

Impact:   A remote user can cause arbitrary scripting code to be executed on a target user's browser when the target user views the affected web site. The code can then access the target user's authentication cookies associated with that site.
Solution:   A fix (1.2.7pl1) has been available at the Vendor URL. However, it is reported that the fix does not fully plug the security hole. A remote user can still use the "STYLE" attribute to avoid the filtering. A demonstration exploit that will work on some but not all browsers is provided:

<b style="expression(alert(document.cookie))">

Vendor URL:  phpreactor.org/articles/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Jun 8 2002 php(Reactor) Web Site Software Allows Remote Users to Conduct Cross-Site Scripting Attacks to Steal Authentication Cookies



 Source Message Contents

Subject:  [Full-Disclosure] phpReactor - Cross-Site Scripting via STYLE


phpReactor has recently been updated to eliminate several known cross-site
scripting vulnerabilities.  Among these changes was to reduce the tags
allowed in posts, profiles, etc. down to B, I, and FONT.  However, using the
"STYLE" attribute, one can still defeat this:

<b style="expression(alert(document.cookie))">

This won't work on all browsers (IE runs it, though)

"The reason the mainstream is thought
of as a stream is because it is
so shallow."
                     - Author Unknown

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC