XOOPS myheader.php Cross Site Scripting Vulnerability
24 Dec. 2003
Summary
XOOPS is "a dynamic OO (Object Oriented) based open source portal script written in PHP. XOOPS supports a number of databases, making XOOPS an ideal tool for developing small to large dynamic community websites, intra company portals, corporate portals, weblogs and much more". The weblinks module contains a file named "myheader.php" in /modules/mylinks/ directory, this module contains a cross-site scripting vulnerability.
Credit:
The information has been provided by Chintan Trivedi.
Vulnerable code:
The code of the file is as follow: include "../../mainfile.php";
$url = $HTTP_GET_VARS['url'];
$lid = intval($HTTP_GET_VARS['lid']);
.
.
.
< td class='bg4' align="center"><small>
< a target="main" href="ratelink.php?cid=<? echo $cid; ?>&lid=<? echo $lid; ?>"><? echo _MD_RATETHISSITE; ?></a> | < a target="main" href="modlink.php?lid=<? echo $lid; ?>"><? echo _MD_MODIFY; ?></a> | < a target="main" href="brokenlink.php?lid=<? echo $lid; ?>"><? echo _MD_REPORTBROKEN; ?></a> | < a target='_top' href='mailto:?subject=<? echo $mail_subject; ?>&body=<? echo $mail_body;?>'><? echo _MD_TELLAFRIEND; ?></a> | < a target='_top' href="<? echo XOOPS_URL; ?>">Back to <? echo $xoopsConfig['sitename']; ?></a> | < a target='_top' href="<? echo $url; ?>">Close Frame</a>
</small>
.
.
The value for variable "url" is used in line < a target='_top' href="<? echo $url; ?>">Close Frame</a> without being sanitized. Thus, an attacker can pass a JavaScript code as a value for variable 'url' and get it executed as soon as the victim clicks the "Close Frame" link.
Exploit:
By clicking on the link: http://[target]/modules/mylinks/myheader.php?url=javascript:alert(document.cookie);, the victim gets directed to a page containing a link "Close Frame" which is actually the JavaScript code inserted by the attacker. A cookie captured can be used by an attacker to login with the hijacked user's (including admin) privileges.
