phpTrafficA 2.3 Cross Site Scripting

2015-04-08T00:00:00
ID PACKETSTORM:131332
Type packetstorm
Reporter Daniel Geerts
Modified 2015-04-08T00:00:00

Description

                                        
                                            `  
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
Product: phpTrafficA  
Product page: http://soft.zoneo.net/phpTrafficA/  
Affected versions: Up to and including 2.3 (latest as of writing).  
  
Description:  
The user agent string provided by the browser is not sanitized nor  
escaped when handled. This string is then outputting into HTML code on  
the "Latest visitors > Details" page, leading to HTML injection that can  
be abused to perform XSS. For example, the following user agent will  
cause a JavaScript dialogbox to pop up as soon as the page is visited:  
"><script>alert();</script>  
  
This page can be hidden from the public, in which case only admins can  
visit it. However, the script still executes when they do, which could  
enable a malicious user agent to steal the phpTrafficA cookie (no  
expiry) or other admin credentials.  
  
  
Proposed fix:  
Escape the HTML characters with htmlspecialchars before outputting the  
user agent string.  
  
In: Php/stats/statsRecent.inc.php  
  
Line 304:  
echo "<tr class=\"data av $even $clrobots $clreturn\"><td  
nowrap>$end</td><td> $dur</td><td  
align=\"center\"> ".format_float($hits)." </td><td> <a  
href=\"./index.php?mode=stats&sid=$sid&show=clickstream&lang=$lang&ip=$ip\"  
title=\"".$strings['Moreinfovisitor']."\"  
class=\"basic\">$ipText</a> </td><td  
align=\"center\"> ".format_float($visits)." </td><td>".countryFlag($country)."</td><td>".osImg($os,'')."</td><td>".browserImg($wb,$agent)."</td><td>$page</td><td>$refString</td></tr>\n";  
becomes:  
echo "<tr class=\"data av $even $clrobots $clreturn\"><td  
nowrap>$end</td><td> $dur</td><td  
align=\"center\"> ".format_float($hits)." </td><td> <a  
href=\"./index.php?mode=stats&sid=$sid&show=clickstream&lang=$lang&ip=$ip\"  
title=\"".$strings['Moreinfovisitor']."\"  
class=\"basic\">$ipText</a> </td><td  
align=\"center\"> ".format_float($visits)." </td><td>".countryFlag($country)."</td><td>".osImg($os,'')."</td><td>".browserImg($wb,htmlspecialchars($agent))."</td><td>$page</td><td>$refString</td></tr>\n";  
  
  
Line 369:  
$echo = "<tr><td valign=\"top\" colspan=\"3\">$ip  
($whoislink$baniplink)<br>$host<br>$labelTxt<table  
class=\"basic\"><tr><td>".countryNameFlag($country)."</td></tr></table></td><td  
valign=\"top\" colspan=\"2\">".$strings['Agent'].": $thisagent<br><table  
class=\"basic\"><tr><td>".osImgName($os)."</td><td>".browserImgName($wb)."</td></tr></table>".$strings['Referrer'].":  
";  
becomes:  
$echo = "<tr><td valign=\"top\" colspan=\"3\">$ip  
($whoislink$baniplink)<br>$host<br>$labelTxt<table  
class=\"basic\"><tr><td>".countryNameFlag($country)."</td></tr></table></td><td  
valign=\"top\" colspan=\"2\">".$strings['Agent'].":  
".htmlspecialchars($thisagent)."<br><table  
class=\"basic\"><tr><td>".osImgName($os)."</td><td>".browserImgName($wb)."</td></tr></table>".$strings['Referrer'].":  
";  
  
  
  
Best regards,  
Daniel Geerts  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)  
Comment: GPGTools - https://gpgtools.org  
  
iQIcBAEBCgAGBQJVJPGzAAoJEHn1bVIKHk5N5egP/0FRgNCiTwYyFwmqgcNLxOQ5  
yuJtnGdGFvH0axXlvm+AgVYOtmM4erduSR3hCaSx4ER7f30SZkRCUuaW8aR1/Tow  
bdYzLXNHcY21gXkhHt+bWH7ZkEpUWxXR6ZzrwL5QO3Ez+QkDr1HUmg8QQPUia8Qk  
KGY+dbkRXqVR7MYRGjAbyceOEXpxpOtxaZ9UTSmQTGW31Upu+dmqkkOTbvV20tEj  
N07T4UwMffCGNWloeuXg8QvIlvwe22kV3+frA2qGxdWKHVl66iJAV0pQ+bxDgoxe  
Y3JsYKdeIhB6T0Yt7rpEbzlgaupQ9pg279bzGVVD4Z+AuNhvDY/4K6RZsFB11DGv  
eY4VR8KLyNuw5N/wLBGf9ZSL9dLBGatYxi0HoQtrmFqLppo1x6nhEV6A0gRulWRa  
9L04PdWKmv+2/prwW9ygT7UFIdApT1q3Uljq9QQIWmdDxGx3YxFmvMVpC5NThtxO  
ElN8fhQpUKFss439qiLaGEMKO/D4bNC71Ydo6jvZOWQ+9eBxmMUT7XfK6fnB811c  
RTRON1SG73AWcbfpIJ/dM+g0jm6bcvVVQxNmaARdlf+E2ihXnMPU2k39ndfV/vqD  
7iuZQraH1ZrQJAqjVmzHWvEfEPyeaiJPRguu1kmnG8QkSMDtBHIpGvvHCHSU4ioF  
+wxMYqlgbfJGakc4s5RO  
=wCVy  
-----END PGP SIGNATURE-----  
`