AOH :: HP Unsorted P :: B1A-1438.HTM

Pligg Installation File XSS Vulnerability



Pligg Installation File XSS Vulnerability
Pligg Installation File XSS Vulnerability




Title: Pligg Installation File XSS Vulnerability
Vendor: Pligg
Product: Pligg CMS
Tested Version: 1.0.4
Threat Class: XSS
Severity: Medium
Remote: yes
Local: no
Discovered By: Andrei Rimsa Alvares
 
===== Description ==== 
Pligg is prone to a XSS vulnerability in the installation file: install/install1.php. The variable "language" - obtained from an http request - can be manipulated to execute java script code via onmouseover like functions. Even with the two sanitizers used (strip_tags and addslashes) it is possible to bypass the double quote jail of the value field in the input tag by passing a double quote via the "language" variable.
 
----- install/install1.php -----
20:  
----- install/install1.php -----
 
The sanitizer strip_tags prevents new tags to be used (like ) but it does not filter onmouseover type attacks. Addslashes inserts backslashes to escape special characters like double quote=2C but since html does not process escape sequences this sanitizer is useless to prevent breaking the double quote jail - regardless of magic_quotes is enabled or not.
 
===== Impact ==== 
Malicious java script code can be executed in the context of the affected web site.
 
===== Proof of Concept ==== 
A simple proof of concept demonstrating the double quote jail by passing is shown below. However=2C this attack is not exploitable because the input field is hidden.
 
http://target/install/install1.php?language=%22%20onmouseover=alert()%3E 
 
To overcome this limitation and provided a real case attack scenario=2C we used a technique obtained from [1]. This attack attempts to increase the area of the affected input field to cover the whole screen. Once the mouse is moved anywhere on the screen=2C the onmouseover java script can be triggered to execute the malicious code. In this proof of concept=2C an alert containing the message "XSS" should be shown on the screen in case of mouse movement.
 
http://target/install/install1.php?language=%22%20style=a:b=3Bmargin-top:-1000px=3Bmargin-left:-100px=3Bwidth:4000px=3Bheight:4000px=3Bdisplay:block=3B%20onmouseover=alert%28String.fromCharCode%2888=2C83=2C83%29%29=3B%3E 
 
This attack venue exploited in this proof of concept had no effect on Google Chrome web browser=2C but was successfully exploited on Mozilla Firefox and others.
 
===== Workaround ==== 
Remove the installation directory after installation=2C as recommended during installation.
 
===== Disclosure Timeline ==== 
June=2C 16 2010 - Vendor notification.
June=2C 22 2010 - Vendor replied but did not acknowledge the bug.
June=2C 22 2010 - New contact attempted to provide more details about the bug.
July=2C 07 2010 - No vendor reply. Public disclosure.
 
===== References ==== 
1. http://www.packetstormsecurity.org/papers/bypass/workaround-xss.txt 
2. http://www.pligg.com 
_________________________________________________________________
Hotmail: Powerful Free email with security by Microsoft.
https://signup.live.com/signup.aspx?id=60969

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.