OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Ahmet Sabri ALPER (s_alperhotmail.com)
Date: Thu Jun 06 2002 - 09:09:44 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ('binary' encoding is not supported, stored as-is) +/--------\-------- ALPER Research Labs ------/--------/+
    +/---------\------- Security Advisory -----/---------/+
    +/----------\------ ID: ARL02-A12 ----/----------/+
    +/-----------\----- salperolympos.org ---/-----------/+


    Advisory Information
    --------------------
    Name : php(Reactor) Cross Site Scripting Vulnerability
    Software Package : php(Reactor)
    Vendor Homepage : http://phpreactor.org/
    Vulnerable Versions: v1.2.7 and older
    Platforms : OS Independent, PHP
    Vulnerability Type : Input Validation Error
    Vendor Contacted : 15/05/2002
    Vendor Replied : 15/05/2002
    Prior Problems : N/A
    Current Version : v1.2.7pl1 (immune)


    Summary
    -------
    php(Reactor) is a set of integrated applications
    focusing on user interaction. Included are articles,
    content management, bbs/forums, polls, ecards, and
    chat events. Administration is quick and easy with
    a browser-based control panel.

    A Cross Site Scripting vulnerability exists in
    php(Reactor). This would allow a remote attacker
    to send information to victims from untrusted web
    servers, and make it look as if the information
    came from the legitimate server.


    Details
    -------
    The "browse.php", in the "comments" section does not
    filter user input for $go variable. So any user may
    craft a malicious link, and can gain information about
    users, and even may get the login information of the
    administrator.

    Here's the proof-of-concept link example;
    http://[target]/comments/browse.php?fid=2&tid=4&go=<script>alert
    (document.cookie)</script>

    Note that, the $fid and $tid variables should be integers.


    Solution
    --------
    The vendor replied quickly, and has released a new version
    on 28/05/2002, which can be downloaded at
    http://sourceforge.net/project/showfiles.php?
    group_id=12105&release_id=91877


    Credits
    -------
    Discovered on 15, May, 2002 by
    Ahmet Sabri ALPER <salperolympos.org>
    ALPER Research Labs.


    References
    ----------
    Product Web Page: http://www.phpreactor.org/