Re: [Solved]-PopnupBlog index.php multiple variables XSS

Hi All,

Thanks for reporting. I checked XSS as this issue. Well, I can put script in it, but it's not work at browser level. Because template is not shows those parameters.

But I guess, we feel something wrong. So I added more sanitize code.
And released Ver3.21

DOWNLOAD HERE

Topic


Topic


Re: Yogurt Social Network multiple scripts uid variable XSS

Updated information , http://osvdb.org/search?request=yogurt

look other solution link , it´s a reference to this post

and look solution section.. 'Currently, there are no known workarounds or upgrades to correct this issue. However, ImpressCMS (m0unty ) is working to address this vulnerability.'

osvdb is a open source project and it´s updated by comunity contributors.

None interesting that provide the best security reference for a vulnerability, wen a vulnerability have any update , any one of contrbutors can add the information for update it.


Thnx to all who has involved in working to patch !!!

--
La curiosidad es lo que hace mover la mente...


Re: [Solved]-PopnupBlog index.php multiple variables XSS

Thanks again, i have sended this info to the dev.



Re: [Solved]-PopnupBlog index.php multiple variables XSS

shure !!

this can be patch here too in class/PopnupBlogUtils.php

arround line 63 if you look some params are sanitized ,in original function , but not all...

function getDateFromHttpParams(){ global $_SERVER,$_POST, $_GET, $xoopsUser; $param = isset($_POST['param']) ? ($_POST['param']) : 0; $postid = isset($_POST['postid']) ? intval($_POST['postid']) : 0; $trackback = isset($_GET['trackback']) ? ($_GET['trackback']) : 0; if(!$postid) $postid = isset($_GET['postid']) ? intval($_GET['postid']) : 0; //if(!$trackback) $trackback = isset($_GET['trackback']) ? ($_GET['trackback']) : 0; if(!$param) $param = isset($_GET['param']) ? ($_GET['param']) : 0; if(!$param && !$postid){ $path_info = isset($_SERVER['ORIG_PATH_INFO']) ? $_SERVER['ORIG_PATH_INFO'] : null; if(!$path_info) $path_info = isset($_SERVER['PATH_INFO']) ? $_SERVER['PATH_INFO'] : null; if ( isset($path_info) ){ $pa = explode( "/" , $path_info ); $postid = intval($pa[count($pa)-1]); } } $param = trim($param);

--
La curiosidad es lo que hace mover la mente...


Re: [Solved]-PopnupBlog index.php multiple variables XSS

$_GET['param'] = intval($_GET['param']); $params = PopnupBlogUtils::getDateFromHttpParams();


Maybe this would result better:
$unsafe_params = PopnupBlogUtils::getDateFromHttpParams(); foreach($unsafe_params as $key=>$value){ $params[$key] = intval($value); }


But I really think the sanitysing should go inside class/PopnupBlogUtils.php



Re: [Solved]-PopnupBlog index.php multiple variables XSS

Yes i have a error in the version ,i test it in version 3.20 from here => http://www.bluemooninc.biz/~xoops2/modules/mydownloads/singlefile.php?cid=3&lid=35

and it is vulnerable ;)

i'm not sure if wen we try to fix 'param' variable with :

$_GET['param'] = intval($_GET['param']);


this sove wen we get index.php?param=1
but it is correct wen the we get index.php?param=1-2002

???

--
La curiosidad es lo que hace mover la mente...


Re: [Solved]-PopnupBlog index.php multiple variables XSS

Thanks, but I thought the latest version of PopnupBlog is 3.20 and that this version was fixed. See Secunia SA29993.



Re: Yogurt Social Network multiple scripts uid variable XSS

I can see Alfred's making some good progress on security as well



[Solved]-PopnupBlog index.php multiple variables XSS

##########################################
PopnupBlog index.php multiple variables XSS
Vendor url:http://www.bluemooninc.biz/
Advisore:http://lostmon.blogspot.com/2008/08/
popnupblog-indexphp-multiple-variables.html
Vendor notify:no exploits availables:yes
##########################################

PopnupBlog contains a flaw that allows a remote
cross site scripting attack.This flaw exists because
the application does not validate 'param' , 'cat_id' and
'view' variables upon submission to 'index.php' script.
This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading loss ofintegrity.

##########
versions
##########

PopnupBlog 3.30 code name: Denali

Prior versions can be vulnerables too.
it affects This type CMS Systems if we
have instaled this module:

Xoops
e-xoops
ImpressCMS
Bcoos

and other that uses xoops code and this module.

############
Solution
############

No solution at this time !!!

But you can edit the source code and ix it like:

for fix 'param' open index.php and arround line 37 we have

$params = PopnupBlogUtils::getDateFromHttpParams(); $start = PopnupBlogUtils::getStartFromHttpParams(); $view = $BlogCNF['default_view']; $select_uid = isset($_GET['uid']) ? intval($_GET['uid']) : 0;


add a line to force 'param' to return a integer:

$_GET['param'] = intval($_GET['param']); $params = PopnupBlogUtils::getDateFromHttpParams(); $start = PopnupBlogUtils::getStartFromHttpParams(); $view = $BlogCNF['default_view']; $select_uid = isset($_GET['uid']) ? intval($_GET['uid']) : 0;


for fix 'cat_id' and 'view' open index.php and arround line 129 :

$xoopsTpl->assign('popimg',PopnupBlogUtils::mail_popimg()); // get email $cat_id=0; if (isset($_GET['cat_id'])) $cat_id = $_GET['cat_id']; if (isset($_POST['cat_id'])) $cat_id = $_POST['cat_id']; $xoopsTpl->assign('popnupblog', PopnupBlogUtils::get_blog_list($start,$cat_id,$select_uid)); if (isset($_GET['view'])) $view = $_GET['view']; if (isset($_POST['view'])) $view = $_POST['view'];


add intval to force variables to return an integer like:

$xoopsTpl->assign('popimg',PopnupBlogUtils::mail_popimg()); // get email $cat_id=0; if (isset($_GET['cat_id'])) $cat_id = intval($_GET['cat_id']); if (isset($_POST['cat_id'])) $cat_id = intval($_POST['cat_id']); $xoopsTpl->assign('popnupblog', PopnupBlogUtils::get_blog_list($start,$cat_id,$select_uid)); if (isset($_GET['view'])) $view = intval($_GET['view']); if (isset($_POST['view'])) $view = intval($_POST['view']);


###########
Examples
###########

http://localhost/modules/popnupblog/index.php?param=1
">[XSS-CODE]&start=0,10&cat_id=&view=1

http://localhost/modules/popnupblog/index.php?param=
&start=0,10&cat_id=">[XSS-CODE]&view=1

http://localhost/modules/popnupblog/index.php?param=
&start=0,10&cat_id=&view=1">[XSS-CODE]

############## €nd ###################

Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lost...@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

--
La curiosidad es lo que hace mover la mente...


Re: Yogurt Social Network multiple scripts uid variable XSS

Hello,

i have added "dhcst" aka @Alfred and "m0unty_" aka @Vaughan as developer.

And i have changed from cvs to svn on https://sourceforge.net/projects/galeriayogurt/

After i have copied our latest version to sf.net

Alfred has added the first commit



I think we can creat a very nice modul, which also works with Xoops. If more development part, the result is better.



Re: Yogurt Social Network multiple scripts uid variable XSS

  • 2008/8/24 20:20:44
  • suico

Sorry for taking so long to post here in this forum. I am watching the impress cms project and am happy with its evolution.

I have posted a news on sourceforge and hope everyone interested on the project read it.
http://sourceforge.net/forum/forum.php?forum_id=860075

I would like to thanks again everyone that is helping on this project and promise to come back on the code one day whe my life outside xoops, impresscms world is less busy.

I am finisihing my master in software engineering and will star a new one in software security and risk management so I will remain busy till october 2009.

Thanks to my friend edvbox xoopsmagazine or sato as he is called here for all this help.



Re: Yogurt Social Network multiple scripts uid variable XSS

I am not a great fan of reporting vulnerabilities outside the user communities.

The vulnerability gets reported to OSVDB, milw0rm, Secunia, etc. but never that it has been fixed. These databases never remove these reports after the vulnerability has been fixed. This often leads to all kind of hack attempts for a long period of time by the script-kiddies. In the worst case these kiddies succeed because the developper(s) maybe can't fix it quick enough or are unaware of the vulnerability.

The communities should track these vulnerabilities and if discovered place the module offline from the download area.





[solved] The case of the mysterious vanishing page

It was a dark and stormy day as the wannabe ICMS module developer caressed the keys in an attempt to coax a new ImpressCMS module to life (well, actually it was just kind of cloudy with a chance of thunderstorms).

He wanted to make his new creation very user friendly to administrate (because, after all, he finds himself whining quite a bit about how some others implement their code), so he selected an intuitive push button approach to various functions within an administrative tabs setup to make the job easier.

Our dubious hero uses the ImpressCMS 1.1 beta platform and had though how smart he was in doing the right thing by his installation, making sure that Protector was installed and operating. He felt good in knowing that his site was protected from the bad guys and knew in his heart that it was a good thing to implement.

As he tested away on his module, he found an odd problem kept resurfacing. Suddently, for no apparent reason, the pages would go blank, without an error. He found he needed to reboot the webserver process in order to get around the problem. How strange, he thought.

He struggled with his code, looking here and there for the answer to this intense and growing mystery. Finally, after several hours of developing, going back to restart the webserver fairly often, he checked back into his Protector module. He discovered that indeed an IP had been blocked for what Protector saw as a denial of service attack from non other than his own IP.

Feeling stupid about such an obvious thing, he added that IP to the exclude list and smiled to himself when he saw the problem vanish. "Better make a note to myself about that, just in case I see that again on the user side - might need to change the default Protector parameters", he thought as he drifted back to his code...



Re: Yogurt Social Network multiple scripts uid variable XSS

Thnx !

I go to update this information !!
good work :)

--
La curiosidad es lo que hace mover la mente...




Re: Yogurt Social Network multiple scripts uid variable XSS

Hello !

Anyone has patch or update or workarround for this module??

i go to Mangling and documentation all of these vulnerabilities in osvdb.org

http://osvdb.org/search?request=yogurt

if anyone have some information please let me know thnx !!!

--
La curiosidad es lo que hace mover la mente...


Re: SQL Injections - very active right now

Thanks for info. I have added the list in my ImpressCMS:

127.0.0.1|^62.141.48|^62.141.49|^62.141.50|^62.141.51|^62.141.52|^62.141.53|^62.141.54|^62.141.55|^78.159.96|^84.16.224|^84.16.233|^84.16.243|^84.16.252|^89.149.197|^89.149.202|^89.149.217|^89.149.209|^89.149.227|^89.149.236|^89.149.241|^89.149.242|^89.149.244|^89.149.253|^89.149.254|^89.149.255|^89.149.226|^217.20.112|^217.20.113|^217.20.115|



Re: SQL Injections - very active right now

I don't think it's a coincedence that these injection attempts happen during the weekends. During the weeks it's collecting links to attack in the weekends.
On my website I use the counter PHP-Stats, and often there are entries that have the following remarks:
- OS: Windows XP
- Browser: IE6/IE7
- resolution: ??
And only 1 page visited.
The details of the injection attempts are actually the same except it's not 'visiting' one page. During the injection attempt normally twice the same page is visited with 2-5 seconds inbetween. Sometimes another attempt happens a little later by the same IP.


Spam is something that is part of this world, but hopefully it should be terminated once and forever.
I am blocking in htaccess Internetserviceteam.com and keymachine.de (click links for info) because they're known content scrapers and spam bots:

# ban keymachine.de deny from keymachine.de deny from 62.141.48. deny from 62.141.49. deny from 62.141.50. deny from 62.141.51. deny from 62.141.52. deny from 62.141.53. deny from 62.141.54. deny from 62.141.55. deny from 84.19.176. deny from 87.118.102. deny from 87.118.118. # ban internetserviceteam.com deny from internetserviceteam.com deny from 78.159.96. deny from 84.16.224. deny from 84.16.233. deny from 84.16.243. deny from 84.16.252. deny from 89.149.197. deny from 89.149.202. deny from 89.149.217. deny from 89.149.209. deny from 89.149.227. deny from 89.149.236. deny from 89.149.241. deny from 89.149.242. deny from 89.149.244. deny from 89.149.253. deny from 89.149.254. deny from 89.149.255. deny from 89.149.226. deny from 217.20.112. deny from 217.20.113. deny from 217.20.115.

Biggest problem is that once you're address is on a spamlist you're on it forever...


Attach file:



jpg  injection.jpg (0.00 KB)




 Top