[VIM] verify of ViArt Shop Free 2.5.5 issue (diff digging)
Steven M. Christey
coley at mitre.org
Mon Jun 12 17:09:24 EDT 2006
BUGTRAQ:20060607 [NOBYTES.COM: #12] ViArt Shop v2.5.5 - XSS Vulnerability
The Bugtraq post links to the following fix:
whose name is probably sufficient enough to prove an acknowledgement
of this report, but...
The xss_fix.zip file contains 3 executables:
Downloading the original 2.5.5 files (still available on the vendor
web site) and doing a diff with the fix yields results such as this
one for block_forum_topic_new.php:
< $sql .= " WHERE forum_id=" . $db->tosql($forum_id, INTEGER);
> $sql .= " WHERE forum_id=" . $forum_id;
These are in the forum_topic_new function. But before we get to that
point, we have:
$forum_id = get_param("forum_id");
So, we have an SQL injection problem here.
Back to the XSS.
For block_reviews.php we have the reviews function:
< $t->set_var("column_id", htmlspecialchars($column_id));
< $t->set_var("column_name", htmlspecialchars($column_name));
> $t->set_var("column_id", $column_id);
> $t->set_var("column_name", $column_name);
and $column_id comes from:
$column_id = get_param("item_id");
Note - based on surface level analysis, $column_name is only set to
and for the forum_topics_show function in block_forum_topics.php we
< $forum_topic_new_url = "forum_topic_new.php?forum_id=" . urlencode($forum_id);
> $forum_topic_new_url = "forum_topic_new.php?forum_id=" . $forum_id;
and this is called from forum.php.
*phew* that hurt.
More information about the VIM