SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   PHPX Vendors:   phpx.org
PHPX Cookie Authentication Flaw Lets Remote Users Hijack a Target User's Account
SecurityTracker Alert ID:  1010060
SecurityTracker URL:  http://securitytracker.com/id/1010060
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 4 2004
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 3.2.3 and prior versions
Description:   Several input validation vulnerabilities and an authentication vulnerability were reported in PHPX. A remote user can hijack a target user's account. A remote user can conduct cross-site scripting attacks.

In February 2004, Manuel Lopez reported that a remote user can edit the PXL cookie value to change the PXL to a target user's userID to gain access to the target user's account.

It is also reported that the 'main.inc.php' and 'help.inc.php' files do not filter HTML code from user-supplied data before displaying the information. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the PHPX software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Some demonstration exploit URLs are provided:

main.inc.php?keywords='><script>alert(document.cookie)</script>
help.inc.php?body='><script>alert(document.cookie)</script>

It is also reported that the 'Personal Messages' and 'Forum' sections allow a remote user to insert HTML code into the subject field to conduct cross-site scripting attacks.

Impact:   A remote user can hijack a target user's account.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the PHPX software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:   The vendor has released a fixed version (3.2.4), available at:

http://sourceforge.net/project/showfiles.php?group_id=67670

Vendor URL:  www.phpx.org/ (Links to External Site)
Cause:   Authentication error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Multiple Vulnerabilities in PHPX



Title: Multiple Vulnerabilities in PHPX

#IST Efnet.

Url: http://www.phpx.org

Description:
PHPX is a web portal system, blog, Content Management System (CMS),
forums, and more. PHPX is designed to allow everyone to be able to have
feature rich, interactive websites even if you do not know a bit of
programming.

Affected Versions:
The vulnerabilities were found in version 3.2.3 of PHPX, earlier versions
could be affected by these issues.

Severity: High

Vulnerabilities:

- Cross Site Scripting:

A vulnerability exists in main.inc.php, help.inc.php, that allows
arbitrary code execution on the client-side browser.

 main.inc.php?keywords='><script>alert(document.cookie)</script>
 help.inc.php?body='><script>alert(document.cookie)</script>

- HTML/Code Injection Flaw:

In Personal Messages and Forum the injection of malicious code is possible
in the subject field directly.
An attacker can submit specially crafted text so that when a target user
views certain pages on the service, arbitrary scripting code will be
executed by the target user's browser, allowing the attacker to modify
user profiles, post in forums, stolen cookies...

- Cookie Account Hijacking Vulnerability:

The cookie contains a PXL variable, which PHPX uses to determine which
change it by target userID to gain access to their account.
This issue can be exploited to gain an administrative account,
compromising completely the service.

Solution: Vendor contacted and release version 3.2.4.
http://phpx.org
Upgrade to version 3.2.4

---- Credits ----

Kein, Skool, TheChakal, vientoS, |RDR|, NSR500, ^SargE^, Logicman, kour,
Archville, hypen, daiamon, M_I_R.. and all the #IST staff.

Excuse me for speaking English so badly.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC