[VIM] Ig-shop change_pass.php XSS - 2 vectors

Stuart Moore smoore at securityglobal.net
Tue Oct 31 17:26:28 EST 2006


When we initially fired up the code, the 'action' parameter vector 
didn't work as advertised but code inspection led us to the 'id' 
parameter vector (I sort of "assumed" that is what the reporter meant to 

The $PHP_SELF variable returns the script name, but not the query 
parameters (manual says: "The filename of the currently executing 
script, relative to the document root").  So the 'action' parameter 
shouldn't be a valid exploit vector.

But, it looks like you may be able to exploit via the 'email' parameter 
when used in a POST request because of this line:

			echo "<p align=center><BR><BR><BR><BR><font face='Verdana' 
size='2'>The password has been successfully changed!</font></p><b><font 
face='Verdana, Arial, Helvetica, sans-serif' size='2'><a 
href='update_account.php?id=".$HTTP_POST_VARS[email]."'>Back to User 

I didn't test that part, however.


Steven M. Christey wrote:
> There's a slightly confusing discrepancy in SECTRACK:1017130 and
> BID:20768, in which the description mentions the "id" parameter.
> However, the raw source, included verbatim in the SECTRACK, provides
> an exploit using the action parameter.
> I dug up the source code and figured out that both vectors are valid.
> In version 1.4 from sourceforge, dated 2003, change_pass.php has:
>> 			<input type="hidden" name="email" value="<?=$HTTP_GET_VARS['id']?>">
> So, that's the "id" vector.
> And, for $action we have:
> 		if($action=="1")
> 		{	
> 			...
> 		}
> 		else
> 		{
> ?>
> 			<form method="post" action="<?=$PHP_SELF?>" name="mem_change_form" onSubmit="return Validate();">
> So, as long as action is not "1", the query string is dumped into the
> form.  This takes care of the action parameter, in the sense
> that it's not "1" and is part of the query string.
> I don't know what the original researcher's intention was with listing
> the Validate() function.  It doesn't seem to contain any of that
> DOM-based XSS stuff, and it's only activated when the user presses
> Submit.
> There might be some other issues elsewhere in the code, such as where
> action is 1, but I didn't investigate further.
> - Steve

More information about the VIM mailing list