[VIM] verify of ViArt Shop Free 2.5.5 issue (diff digging)

[Steven M. Christey]

Refs:

  BUGTRAQ:20060607 [NOBYTES.COM: #12] ViArt Shop v2.5.5 - XSS Vulnerability
  URL:http://www.securityfocus.com/archive/1/archive/1/436415/100/0/threaded
  SECUNIA:20538
  URL:http://secunia.com/advisories/20538

The Bugtraq post links to the following fix:

  http://www.codetosell.com/downloads/xss_fix.zip

whose name is probably sufficient enough to prove an acknowledgement
of this report, but...

The xss_fix.zip file contains 3 executables:

  block_forum_topic_new.php
  block_forum_topics.php
  block_reviews.php

Downloading the original 2.5.5 files (still available on the vendor
web site) and doing a diff with the fix yields results such as this
one for block_forum_topic_new.php:

< 				$sql .= " WHERE forum_id=" . $db->tosql($forum_id, INTEGER);
---
> 				$sql .= " WHERE forum_id=" . $forum_id;


These are in the forum_topic_new function.  But before we get to that
point, we have:

	$forum_id = get_param("forum_id");

So, we have an SQL injection problem here.


Back to the XSS.

For block_reviews.php we have the reviews function:

< 	$t->set_var("column_id",     htmlspecialchars($column_id));
< 	$t->set_var("column_name",   htmlspecialchars($column_name));
---
> 	$t->set_var("column_id",     $column_id);
> 	$t->set_var("column_name",   $column_name);

and $column_id comes from:

		$column_id = get_param("item_id");

Note - based on surface level analysis, $column_name is only set to
static values.


and for the forum_topics_show function in block_forum_topics.php we
have:

< 		$forum_topic_new_url = "forum_topic_new.php?forum_id=" . urlencode($forum_id);
---
> 		$forum_topic_new_url = "forum_topic_new.php?forum_id=" . $forum_id;

and this is called from forum.php.


*phew* that hurt.

- Steve