[VIM] Ig-shop change_pass.php XSS - 2 vectors
smoore at securityglobal.net
Tue Oct 31 17:26:28 EST 2006
When we initially fired up the code, the 'action' parameter vector
didn't work as advertised but code inspection led us to the 'id'
parameter vector (I sort of "assumed" that is what the reporter meant to
The $PHP_SELF variable returns the script name, but not the query
parameters (manual says: "The filename of the currently executing
script, relative to the document root"). So the 'action' parameter
shouldn't be a valid exploit vector.
But, it looks like you may be able to exploit via the 'email' parameter
when used in a POST request because of this line:
echo "<p align=center><BR><BR><BR><BR><font face='Verdana'
size='2'>The password has been successfully changed!</font></p><b><font
face='Verdana, Arial, Helvetica, sans-serif' size='2'><a
href='update_account.php?id=".$HTTP_POST_VARS[email]."'>Back to User
I didn't test that part, however.
Steven M. Christey wrote:
> There's a slightly confusing discrepancy in SECTRACK:1017130 and
> BID:20768, in which the description mentions the "id" parameter.
> However, the raw source, included verbatim in the SECTRACK, provides
> an exploit using the action parameter.
> I dug up the source code and figured out that both vectors are valid.
> In version 1.4 from sourceforge, dated 2003, change_pass.php has:
>> <input type="hidden" name="email" value="<?=$HTTP_GET_VARS['id']?>">
> So, that's the "id" vector.
> And, for $action we have:
> <form method="post" action="<?=$PHP_SELF?>" name="mem_change_form" onSubmit="return Validate();">
> So, as long as action is not "1", the query string is dumped into the
> form. This takes care of the action parameter, in the sense
> that it's not "1" and is part of the query string.
> I don't know what the original researcher's intention was with listing
> the Validate() function. It doesn't seem to contain any of that
> DOM-based XSS stuff, and it's only activated when the user presses
> There might be some other issues elsewhere in the code, such as where
> action is 1, but I didn't investigate further.
> - Steve
More information about the VIM