popnupblog-xss.txt

`##########################################  
PopnupBlog index.php multiple variables XSS  
Vendor url:http://www.bluemooninc.biz/  
Advisore:http://lostmon.blogspot.com/2008/08/  
popnupblog-indexphp-multiple-variables.html  
Vendor notify:no exploits availables:yes  
##########################################  
  
PopnupBlog contains a flaw that allows a remote  
cross site scripting attack.This flaw exists because  
the application does not validate 'param' , 'cat_id' and  
'view' variables upon submission to 'index.php' script.  
This could allow a user to create a specially crafted URL  
that would execute arbitrary code in a user's browser within  
the trust relationship between the browser and the server,  
leading loss ofintegrity.  
  
##########  
versions  
##########  
  
PopnupBlog 3.30 code name: Denali  
  
Prior versions can be vulnerables too.  
it affects This type CMS Systems if we  
have instaled this module:  
  
Xoops  
e-xoops  
ImpressCMS  
Bcoos  
  
and other that uses xoops code and this module.  
  
############  
Solution  
############  
  
No solution at this time !!!  
  
But you can edit the source code and ix it like:  
  
for fix 'param' open index.php and arround line 37 we have  
  
[code]  
$params = PopnupBlogUtils::getDateFromHttpParams();  
$start = PopnupBlogUtils::getStartFromHttpParams();  
$view = $BlogCNF['default_view'];  
$select_uid = isset($_GET['uid']) ? intval($_GET['uid']) : 0;  
[/code]  
  
add a line to force 'param' to return a integer:  
  
[code]  
$_GET['param'] = intval($_GET['param']);  
$params = PopnupBlogUtils::getDateFromHttpParams();  
$start = PopnupBlogUtils::getStartFromHttpParams();  
$view = $BlogCNF['default_view'];  
$select_uid = isset($_GET['uid']) ? intval($_GET['uid']) : 0;  
[/code]  
  
for fix 'cat_id' and 'view' open index.php and arround line 129 :  
  
[code]  
$xoopsTpl->assign('popimg',PopnupBlogUtils::mail_popimg()); // get email  
$cat_id=0;  
if (isset($_GET['cat_id'])) $cat_id = $_GET['cat_id'];  
if (isset($_POST['cat_id'])) $cat_id = $_POST['cat_id'];  
$xoopsTpl->assign('popnupblog',  
PopnupBlogUtils::get_blog_list($start,$cat_id,$select_uid));  
if (isset($_GET['view'])) $view = $_GET['view'];  
if (isset($_POST['view'])) $view = $_POST['view'];  
[/code]  
  
add intval to force variables to return an integer like:  
  
[code]  
$xoopsTpl->assign('popimg',PopnupBlogUtils::mail_popimg()); // get email  
$cat_id=0;  
if (isset($_GET['cat_id'])) $cat_id = intval($_GET['cat_id']);  
if (isset($_POST['cat_id'])) $cat_id = intval($_POST['cat_id']);  
$xoopsTpl->assign('popnupblog',  
PopnupBlogUtils::get_blog_list($start,$cat_id,$select_uid));  
if (isset($_GET['view'])) $view = intval($_GET['view']);  
if (isset($_POST['view'])) $view = intval($_POST['view']);  
[/code]  
  
###########  
Examples  
###########  
  
http://localhost/modules/popnupblog/index.php?param=1  
">[XSS-CODE]&start=0,10&cat_id=&view=1  
  
http://localhost/modules/popnupblog/index.php?param=  
&start=0,10&cat_id=">[XSS-CODE]&view=1  
  
http://localhost/modules/popnupblog/index.php?param=  
&start=0,10&cat_id=&view=1">[XSS-CODE]  
  
  
############## €nd ###################  
  
Thnx To estrella to be my light  
Thnx to all Lostmon Team !  
thnx to imydes From www.imydes.com  
--   
atentamente:  
Lostmon ([email protected])  
Web-Blog: http://lostmon.blogspot.com/  
Google group: http://groups.google.com/group/lostmon (new)  
--  
La curiosidad es lo que hace mover la mente....  
`