[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: QuickBlogger v1.4 Cross-Site Scripting

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: QuickBlogger v1.4 Cross-Site Scripting
From: "Steven M. Christey" <coley@xxxxxxxxx>
Date: Fri, 14 Apr 2006 18:01:21 -0400 (EDT)

This is yet another case where XSS is resultant from a more serious
issue.  The primary issue here involves local file inclusion.
retrogod-style attacks might be feasible by injecting PHP code into
text-based data files within the application, then including those
text files using this issue; however, I did not explore it that
deeply.

Based on a download of the 1.4 source from another location, we have
the following code from acc.php:

   if ($_GET['request'] == "") {
   $page = "actions/main.php";
   }
   else {
   $page = "actions/" . $_GET['request'] . ".php";
   }
   include $page;

I can use ".." sequences to include arbitrary PHP files, and null
character injection for arbitrary files of other types:

   acc.php?request=../../../abcdef.txt%00

So - what happens when I use the original XSS manipulation provided by
botan?

  acc.php?request=<script>alert(document.cookie)</script>

If my PHP errors are set up properly, and if I've got a version of PHP
that allows XSS in error messages, I get:

  Warning: main(): Failed opening
  'actions/<script>alert(document.cookie)</script>.php' for inclusion
  (include_path='[PATH HERE]') in acc.php on line 220

This was tested on QuickBlogger 1.4 under PHP 4.

- Steve

Prev by Date: manila.userland cross site scriptable
Next by Date: ZDI-06-010: Mozilla Firefox CSS Letter-Spacing Heap Overflow Vulnerability
Previous by thread: QuickBlogger v1.4 Cross-Site Scripting
Next by thread: phpMyAdmin 2.7.0-pl1
Index(es):
- Date
- Thread