logo

Web

   Webdesign
   Webhosting
   Referenzen
   Kontakt

Security

   Aktuelle Meldungen
   Advisories
   Firewall
   Emailgateway

Consulting

   Beratung

Hinweise
   Aktuelle Meldungen    Advisories    Firewall    Emailgateway

ppp-design found the following cross-site-scripting bug in WebSight Directory System:


Details

Product: WebSight Directory System
Affected Version: 0.1
Immune Version: 0.1.1
OS affected: all OS with php and mysql
Vendor-URL: http://sourceforge.net/projects/websight
Vendor-Status: informed
Security-Risk: medium - high
Remote-Exploit: Yes


Introduction

This is what the author tells us: "WebSight is a portal/directory system in the same vein as the Open Directory Project, Yahoo! or any of the other big webportals. Originally created as the portal/directory system for the Electronic Music World website, now available as open source."
Unfortunately the script does not check for any malicious code, so it is possible to use cross-side-scripting to get an admin account.


More details

When a user submits a new link (for approving by an admin), none of the inputs is checked for malicious code. So a possible blackhat is able to insert some javascript stuff here, which is executed when an admin checks the submitted data.


Proof-of-concept

Enter the following as website name when submitting a new link (one line):

Example<script>bad=window.open("http://example.com/portal/administration/
userman.php?uname=black&newpass=hat&submituser=ok", "bad",
"width=1,height=1");bad.close();</script>

This will open a small popup when the admin checks the new submitting which is closed directly after opening. After checking the new submitting, a new admin named "black" with password "hat" is generated, so the blackhat can easily login as an admin and do everything he wants to.


Temporary-fix

Admins could disable Javascript but because there are still other possiblilities to enter malicious code, this will only stop this proof-of-concept from working.


Fix

Use version 0.1.1 or later.


Security-Risk

The author claims the software being beta and not for using in production enviroments. On the other hand it is used at (and developed for) http://portal.electronicmusicworld.com, so we decide to rate the risk medium - high.


Vendor status

The author reacted in a very deserving way. After less than 10 hours there is a new version avaiable which filters mailicious code now.


Disclaimer

All information that can be found in this advisory is believed to be true, but maybe it isn't. ppp-design can not be held responsible for the use or missuse of this information. Redistribution of this text is only permitted if the text has not been altered and the original author ppp-design (http://www.ppp-design.de) is mentioned.