WoltLab(R) Community Framework XSS and Full Path Disclosure Vulnerability

2008-04-08T00:00:00
ID SECURITYVULNS:DOC:19586
Type securityvulns
Reporter Securityvulns
Modified 2008-04-08T00:00:00

Description

======================================================================

Advisory : WoltLab(R) Community Framework XSS and Full Path Disclosure Vulnerability Release Date : Application : WoltLab(R) Community Framework Version : WCF 1.0.6 and lower Platform : PHP Vendor URL : http://community.woltlab.com/ Authors : Jessica Hope ( jessicasaulhope@googlemail.com )

=======================================================================

Overview

Due to various failures in sanitising user input, it is possible to construct XSS attacks and path disclosure.

=======================================================================

Discussion

Full Path Disclosure via "page", "form", etc. Parameters:

WCF based applications use a factory pattern to load and instantiate the class appropriate for the current page based on user input. If the user submits data not resolving to a valid class, the exception handler adds the whole stacktrace - including the full path - into an HTML comment.

XSS via "page", "form", etc. Parameters:

The aforementioned trace includes the user submitted parameter as function argument and is left un-escaped. This opens a potential XSS issue.

=======================================================================

Solution

At this time there is no vendor patch. Vendor in question lacks a public way to contact them with relation to a security vulnerability.

The suggested solution is to not expose sensitive information (full paths) and un-escaped user input in comments.

Vendor should also publish an e-mail address or other way to contact them with such issues so that full-disclosure can be avoided before vendor notification.

Ongoing research into other products Woltlab GmbH produces is pending. Future vulnerabilities will be posted to full disclosure as they are found unless the vendor wishes to provide such contact info publicly.

=======================================================================

History:

08th April 2008: Full disclosure

=======================================================================

Credit

This issue is to be credited to Jessica Hope ( jessicasaulhope@googlemail.com )