Eventum

Stored XSS issue and REQUEST_URI XSS

Bug #706385 reported by LiquidWorm on 2011-01-22

260

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Eventum	Fix Released	High	Bryan Alsdorf

Bug Description

Affected version: 2.2 and 2.3

Date discovered: 19.01.2011

Eventum suffers from a cross-site scripting vulnerability. The persistent XSS issue is triggered when input passed via the 'keywords' parameter to the list.php script is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML
and script code in a user's browser session in context of an affected site. Or, you can trigger the issue when parsing the string <script>alert(1)</script>' into the search box and it will be stored every time you navigate back to the list.php page. If there's no activity the stored string will self execute every 5 minutes. 'forgot_password.php' and 'select_project.php' are also vulnerable because they fail to perform filtering when using the REQUEST_URI variable.

Tested on: (xampp)
- Microsoft Windows XP Professional SP3 (EN)
- Apache 2.2.14 (Win32)
- PHP 5.3.1
- MySQL 5.1.41

http://127.0.0.1/eventum-2.3/htdocs/list.php?keywords=<script>alert('ZSL')<%2Fscript>
http://127.0.0.1/eventum-2.3/htdocs/forgot_password.php/>"><script>alert('ZSL')</script>

http://127.0.0.1/eventum-2.2/forgot_password.php/>"><script>alert('ZSL')</script>
http://127.0.0.1/eventum-2.2/select_project.php/>"><script>alert('ZSL')</script>

Waiting for confirmation and fix release for advisory release at http://zeroscience.mk

Thanks,
Gjoko

Tags:

Related branches

lp:eventum

Bryan Alsdorf (balsdorf) on 2011-01-24

Changed in eventum:
importance:	Undecided → High
assignee:	nobody → Bryan Alsdorf (balsdorf)

Revision history for this message

Bryan Alsdorf (balsdorf) wrote on 2011-01-24:

A fix has been committed and we are discussing if we can do a complete release right now, or just release a patch. I will keep you informed, feel free to ping me on IRC to discuss.

Revision history for this message

LiquidWorm (liquidworm) wrote on 2011-01-24:

yeah, thanks for the update...

will await for official release of the fix, in the meantime i'm on IRC, but time differences is getting in the way :D and my motherboard died today so that's why i come and go until i buy a new one ;)

cheers.

Revision history for this message

Elan Ruusamäe (glen666) wrote on 2011-01-25:

more xss links, tested with r4263

/list.php?customer_id=%22%3E%3Ciframe%20src=http://www.google.com%3E%3C/iframe%3E%3Cbr%20bla=%22

Revision history for this message

Bryan Alsdorf (balsdorf) wrote on 2011-01-25:

What time frame do you want to issue the advisory? We have someone running an XSS scanner now looking for more problems and if we find more we want to fix them all in one release.

However we appreciate you finding this flaw and understand you might want to release an advisory sooner rather then later. If so, we can produce a release by the end of the week.

Revision history for this message

LiquidWorm (liquidworm) wrote on 2011-01-25:

Well.. it's not a problem nor a rush to publish the advisory until you completely fix and release the newer version (ofc, the sooner the better and there's no pressure), first you see what you can find out more and when you're ready for the release you can inform me 1-2 days prior to that so i can give you a pre-release preview of the advisory. The advisory will have the ID: ZSL-2011-4989. Thanks a lot and keep up the good work ;)

Revision history for this message

Elan Ruusamäe (glen666) wrote on 2011-01-28:

one more r4280

Form 4 of 7 , Action: https://eventum.example.org/list.php
Vulnerable: pagerRow
1 vulnerabilit(y/ies) found.

Revision history for this message

LiquidWorm (liquidworm) wrote on 2011-01-31:

another one:

param: release

http://127.0.0.1/eventum-2.3/htdocs/list.php?release="><script>alert(1)</script>

Revision history for this message

Bryan Alsdorf (balsdorf) wrote on 2011-01-31:

Update to the latest BZR version, release is scrubbed now.

Revision history for this message

LiquidWorm (liquidworm) wrote on 2011-02-03:

How's going guys...?

Any info on release date?

Thanks

Revision history for this message

LiquidWorm (liquidworm) wrote on 2011-02-09:

#10

I'm planing to release the advisory on 10th of February, 2011. Can you release the new version by then ?

Revision history for this message

Bryan Alsdorf (balsdorf) wrote on 2011-02-10:

#11

We are testing now, should release today.

I have your alert ID, but what is the website I should link to?

Revision history for this message

LiquidWorm (liquidworm) wrote on 2011-02-10:

#12

Thanks,

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-4989.php it's private until published official release.

Revision history for this message

Bryan Alsdorf (balsdorf) wrote on 2011-02-15:

#13

The tarball was uploaded Friday and I have sent out the announce letter today.

Thanks for your report again.

visibility:

private → public

Revision history for this message

LiquidWorm (liquidworm) wrote on 2011-02-15:

#14

Thank you for the great cooperation and wish you all the best.

Cheers!
Gjoko

Revision history for this message

Elan Ruusamäe (glen666) wrote on 2011-06-02:

#16

we released 2.3.1 containing the fixes

Changed in eventum:
status:	New → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.