Stored XSS issue and REQUEST_URI XSS

Reported by LiquidWorm on 2011-01-22
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Eventum
High
Bryan Alsdorf

Bug Description

Affected version: 2.2 and 2.3

Date discovered: 19.01.2011

Eventum suffers from a cross-site scripting vulnerability. The persistent XSS issue is triggered when input passed via the 'keywords' parameter to the list.php script is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML
and script code in a user's browser session in context of an affected site. Or, you can trigger the issue when parsing the string <script>alert(1)</script>' into the search box and it will be stored every time you navigate back to the list.php page. If there's no activity the stored string will self execute every 5 minutes. 'forgot_password.php' and 'select_project.php' are also vulnerable because they fail to perform filtering when using the REQUEST_URI variable.

Tested on: (xampp)
- Microsoft Windows XP Professional SP3 (EN)
- Apache 2.2.14 (Win32)
- PHP 5.3.1
- MySQL 5.1.41

http://127.0.0.1/eventum-2.3/htdocs/list.php?keywords=<script>alert('ZSL')<%2Fscript>
http://127.0.0.1/eventum-2.3/htdocs/forgot_password.php/>"><script>alert('ZSL')</script>

http://127.0.0.1/eventum-2.2/forgot_password.php/>"><script>alert('ZSL')</script>
http://127.0.0.1/eventum-2.2/select_project.php/>"><script>alert('ZSL')</script>

Waiting for confirmation and fix release for advisory release at http://zeroscience.mk

Thanks,
Gjoko

Related branches

Bryan Alsdorf (balsdorf) on 2011-01-24
Changed in eventum:
importance: Undecided → High
assignee: nobody → Bryan Alsdorf (balsdorf)
Bryan Alsdorf (balsdorf) wrote :

A fix has been committed and we are discussing if we can do a complete release right now, or just release a patch. I will keep you informed, feel free to ping me on IRC to discuss.

LiquidWorm (liquidworm) wrote :

yeah, thanks for the update...

will await for official release of the fix, in the meantime i'm on IRC, but time differences is getting in the way :D and my motherboard died today so that's why i come and go until i buy a new one ;)

cheers.

Elan Ruusamäe (glen666) wrote :

more xss links, tested with r4263

/list.php?customer_id=%22%3E%3Ciframe%20src=http://www.google.com%3E%3C/iframe%3E%3Cbr%20bla=%22

Bryan Alsdorf (balsdorf) wrote :

What time frame do you want to issue the advisory? We have someone running an XSS scanner now looking for more problems and if we find more we want to fix them all in one release.

However we appreciate you finding this flaw and understand you might want to release an advisory sooner rather then later. If so, we can produce a release by the end of the week.

LiquidWorm (liquidworm) wrote :

Well.. it's not a problem nor a rush to publish the advisory until you completely fix and release the newer version (ofc, the sooner the better and there's no pressure), first you see what you can find out more and when you're ready for the release you can inform me 1-2 days prior to that so i can give you a pre-release preview of the advisory. The advisory will have the ID: ZSL-2011-4989. Thanks a lot and keep up the good work ;)

Elan Ruusamäe (glen666) wrote :

one more r4280

Form 4 of 7 , Action: https://eventum.example.org/list.php
    Vulnerable: pagerRow
    1 vulnerabilit(y/ies) found.

LiquidWorm (liquidworm) wrote :

another one:

param: release

http://127.0.0.1/eventum-2.3/htdocs/list.php?release="><script>alert(1)</script>

Bryan Alsdorf (balsdorf) wrote :

Update to the latest BZR version, release is scrubbed now.

LiquidWorm (liquidworm) wrote :

How's going guys...?

Any info on release date?

Thanks

LiquidWorm (liquidworm) wrote :

I'm planing to release the advisory on 10th of February, 2011. Can you release the new version by then ?

Bryan Alsdorf (balsdorf) wrote :

We are testing now, should release today.

I have your alert ID, but what is the website I should link to?

LiquidWorm (liquidworm) wrote :

Thanks,

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-4989.php it's private until published official release.

Bryan Alsdorf (balsdorf) wrote :

The tarball was uploaded Friday and I have sent out the announce letter today.

Thanks for your report again.

visibility: private → public
LiquidWorm (liquidworm) wrote :

Thank you for the great cooperation and wish you all the best.

Cheers!
Gjoko

Elan Ruusamäe (glen666) wrote :

we released 2.3.1 containing the fixes

Changed in eventum:
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers