[UNIX] Jaws Cross Site Scripting (GlossaryModel.php)

2005-04-21T00:00:00
ID SECURITYVULNS:DOC:8404
Type securityvulns
Reporter Securityvulns
Modified 2005-04-21T00:00:00

Description

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com - - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source. http://www.securiteam.com/mailinglist.html


Jaws Cross Site Scripting (GlossaryModel.php)

SUMMARY

" <http://www.jaws-project.com/index.php> Jaws is a Framework and Content Management System for building dynamic web sites. It aims to be User Friendly giving ease of use and lots of ways to customize web sites, but at the same time is Developer Friendly, it offers a simple and powerful framework to hack your own modules."

Jaws is vulnerable to cross site scripting attacks, allowing malicious users to steal identity cookies.

DETAILS

Vulnerable Systems: * Jaws version 0.4

Immune Systems: * Jaws version 0.5

The Glossary gadget doesn't filter out dangerous characters in the process of adding a new word to the glossary, allowing the insertion of items from <script>alert(document.cookie)</script> to more complex JavaScript code.

Workaround: Replace the NewTerm function in GlossaryModel.php for this new one. /* * Adds a new term * * @acess public * @param string $term Term * @param string $desc Term's description * @return boolean Returns true if term was added / function NewTerm ($term, $desc) { //xss fix if(stristr($term, "<") || stristr($term, ">")) $term = strip_tags($term); if(stristr($desc, "<") || stristr($desc, ">")) $desc = strip_tags($desc);

           $sql = &quot;INSERT INTO [[term]] &#40;term, description,

createtime, updatetime) VALUES ({term},{desc},NOW(),NOW())"; $rs = $GLOBALS["app"]->DB->Execute ($sql, array ("term" => $term, "desc" => $desc));

           if &#40;$rs&#41; {
                   $GLOBALS[&quot;session&quot;]-&gt;PushLastResponse

(_t("GLOSSARY_TERM_ADDED"),RESPONSE_NOTICE); return true; } else { $GLOBALS["session"]->PushLastResponse (_t("GLOSSARY_ERROR_TERM_NOT_CREATED"), RESPONSE_ERROR); return new JawsError (_t("GLOSSARY_ERROR_TERM_NOT_CREATED"), _t("GLOSSARY_NAME")); } }

ADDITIONAL INFORMATION

The information has been provided by <mailto:nah@suckea.com> Paulino Calderon.

========================================

This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================

DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.