Date: Thu, 6 Feb 2014 00:15:16 +0800 From: Gunther <deviant.beta@...il.com> To: oss-security@...ts.openwall.com Subject: Dokeos 2.1.1 Multiple Stored XSS Vulnerabilities Hi, I have discovered several Stored XSS vulnerabilities in Dokeos, which you can grab them http://downloads.sourceforge.net/project/dokeos/dokeos-2.1.1.zip?r=http://sourceforge.net/projects/dokeos/&ts=1391616505&use_mirror=nchc *Tested Versions* Dokeos <http://sourceforge.net/projects/dokeos/> Version 2.1.1. *Details* *Severity:* Stored XSS *Confidence:* Certain *Host:* http://localhost/ *Path:* /dokeos-2.1.1/main/auth/profile.php *Issue detail:* The problem is script does not sanitise the following parameters, *“Phone”* , *“Street”*,*“Address line”*, *“Zip code”*, *“City”* before storing them in the database. If i were to enter the following XSS vector as a value to either of these parameters, whomever is going to browse the profile of this user will be subjected to a Stored XSS. 1 <![CDATA["><iframe/onload=alert(document.domain)>]]> As you can see here that i’ve used the above-mentioned XSS vector on the “Zip Code” field as shown below. [image: dokeos_01]<http://www.xchg.info/wp-content/uploads/2014/02/dokeos_01.png> After you have validated the entered values, simply login as another user or view as current user the profile of this user. In my test case, the url will be like this http://localhost/dokeos-2.1.1/main/social/profile.php?u=3 The profile.php script does not sanitise the parameters before using them after getting them from the database. This makes it possible for an anonymous attacker to manipulate the values passed to these parameters to create Stored XSS. Upon visiting the above-mentioned URL, the visitor will be subjected to the Stored XSS as shown below: [image: dokeos_02]<http://www.xchg.info/wp-content/uploads/2014/02/dokeos_02.png> The 2nd issue which is also a Stored XSS. *Severity:* Stored XSS *Confidence:* Certain *Host:* http://localhost/ *Path:* /dokeos-2.1.1/main/social/groups.php?id=1 *Issue detail:* The problem is that if attacker were to enter the following XSS vector as the “Subject Topic”. 1 "><video><source onerror=alert(domain)> [image: dokeos_03]<http://www.xchg.info/wp-content/uploads/2014/02/dokeos_03.png> Whomever clicks “Reply” to that “Topic” will be subjected “Stored XSS” as shown below. [image: dokeos_04]<http://www.xchg.info/wp-content/uploads/2014/02/dokeos_04.png> The 3rd issue which is also a Stored XSS. *Severity:* Stored XSS *Confidence:* Certain *Host:* http://localhost/ *Path:* /dokeos-2.1.1/main/messages/view_message.php?id=6&f=social *Issue detail:* The problem is similar to issue #2 if attacker were to enter the following XSS vector in the Message itself. 1 "><video><source onerror=alert(domain)> [image: dokeos_05]<http://www.xchg.info/wp-content/uploads/2014/02/dokeos_05.png> Whomever clicks “Reply” to that “Message” will be subjected “Stored XSS” as shown below. [image: dokeos_06]<http://www.xchg.info/wp-content/uploads/2014/02/dokeos_06.png> *POC / Test Code* All the examples here were provided to the vendor. *Disclosure Timeline* 2013-12-31 – Vulnerability Discovered. 2014-01-01 – Initial Vendor Notification (no reply). 2014-01-01 – Vulnerability Details Sent to Vendor. 2014-01-08 – Second Vendor Notification (no reply). 2014-01-15 – Third Vendor Notification (no reply). 2014-02-05 – Public Release. Please see the full report at http://www.xchg.info/?p=381 for more details if the images won't show BR, [ Gunther ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.