kshop-xss.txt

`##########################################  
Kshop module search variable&field remote XSS  
Vendor url:http://www.kaotik.biz/  
Advisore:http://lostmon.blogspot.com/2008/08/  
kshop-module-search-variable-and-field.html  
Vendor notify:no exploit available:YES  
##########################################  
  
  
Kshop is a E-commerce php/Mysql script module for  
multiple CMS Systems like Xoops,e-xoops,bcoos and  
impressCMS and probably in all CMS based in Xoops code.  
  
Kshop contains a flaw that allows a remote cross site  
scripting attack.This flaw exists because the  
application does not validate 'Search' variable and  
search form field include in this module upon  
submission to 'kshop_search.php' script in Kshop module.  
This could allow a user to create a specially crafted form  
that would execute arbitrary code in a user's browser within  
the trust relationship between the browser and the server,  
leading loss of integrity.  
  
  
#################  
Versions  
################·  
  
Kshop module 2.22  
  
i make a test with ImpressCMS  
and this CMS in kshop module  
have version 2.23 ????  
  
  
it´s posible that prior versions  
are affected too.  
  
it affects This type CMS Systems if we  
have instaled this module:  
  
Xoops  
e-xoops  
ImpressCMS  
Bcoos  
  
and other that uses xoops code and this module.  
  
###################  
Solution  
###################  
  
At this moment ,no have solution...  
  
but you can make a simple patch ,open kshop_search.php  
inside kshop module folder arround line 45 you have  
[code]  
  
$xoopsTpl->assign('searchTerm',$_POST['search']);  
  
you can use strip_tags() PHP function , like:  
  
$xoopsTpl->assign('searchTerm',strip_tags($_POST['search']));  
  
now it´s patched , because this remove all tags in the search variable.  
  
or you can use htmlentities() PHP function for patch much more clean like :  
  
$xoopsTpl->assign('searchTerm',htmlentries($_POST['search']));  
[/code]  
  
  
  
###################  
Proof of Concept.  
###################  
  
This Issue could not exploit directly by URL  
because the form field have a limitation of 20 chars  
and we need a POST to exploit ,for that we can´t exploit  
directly by url because it is a GET and we need a POST.  
  
This is not a problem, we can make a form with the POST  
and without any restriction in the form field for Exploit it  
  
put some javascript or html code in the form field  
  
  
  
Example: "><script>alert()</script>  
  
its necesary that you put "> before the code.  
  
  
  
<form action="http://[victim]/modules/kshop/kshop_search.php" method="POST">  
  
<input type="text" name="search" value="Put your XSS Here !!!">  
  
<input type="image"  
src="http://www.spymac.com/upload/2007/01/18/OQxsPeTzFN.gif"></form>  
  
  
  
  
############## €nd ###################  
  
Thnx To estrella to be my light  
Thnx to all Lostmon Team !  
thnx to imydes From www.imydes.com  
--   
atentamente:  
Lostmon ([email protected])  
Web-Blog: http://lostmon.blogspot.com/  
Google group: http://groups.google.com/group/lostmon (new)  
--  
La curiosidad es lo que hace mover la mente....  
`