From s_alper@hotmail.com Thu Jun 6 15:35:00 2002 From: Ahmet Sabri ALPER To: bugtraq@securityfocus.com Date: 6 Jun 2002 14:09:44 -0000 Subject: [ARL02-A12] PHP(Reactor) Cross Site Scripting Vulnerability +/--------\-------- ALPER Research Labs ------/--------/+ +/---------\------- Security Advisory -----/---------/+ +/----------\------ ID: ARL02-A12 ----/----------/+ +/-----------\----- salper@olympos.org ---/-----------/+ Advisory Information -------------------- Name : php(Reactor) Cross Site Scripting Vulnerability Software Package : php(Reactor) Vendor Homepage : http://phpreactor.org/ Vulnerable Versions: v1.2.7 and older Platforms : OS Independent, PHP Vulnerability Type : Input Validation Error Vendor Contacted : 15/05/2002 Vendor Replied : 15/05/2002 Prior Problems : N/A Current Version : v1.2.7pl1 (immune) Summary ------- php(Reactor) is a set of integrated applications focusing on user interaction. Included are articles, content management, bbs/forums, polls, ecards, and chat events. Administration is quick and easy with a browser-based control panel. A Cross Site Scripting vulnerability exists in php(Reactor). This would allow a remote attacker to send information to victims from untrusted web servers, and make it look as if the information came from the legitimate server. Details ------- The "browse.php", in the "comments" section does not filter user input for $go variable. So any user may craft a malicious link, and can gain information about users, and even may get the login information of the administrator. Here's the proof-of-concept link example; http://[target]/comments/browse.php?fid=2&tid=4&go=<script>alert (document.cookie)</script> Note that, the $fid and $tid variables should be integers. Solution -------- The vendor replied quickly, and has released a new version on 28/05/2002, which can be downloaded at http://sourceforge.net/project/showfiles.php? group_id=12105&release_id=91877 Credits ------- Discovered on 15, May, 2002 by Ahmet Sabri ALPER ALPER Research Labs. References ---------- Product Web Page: http://www.phpreactor.org/