Security

Xoops Multiple Cross-Site Scripting Vulnerabilities

Description

Multiple vulnerabilities have been discovered in Xoops, which can be exploited by malicious people to conduct cross-site scripting attacks.

1) Input passed to the “module” parameter (when “fct” is set to “modulesadmin” and “op” is set to “install”) in modules/system/admin.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

2) Input passed to the “module[]”, “newname[]”, and “oldname[]” POST parameters (when “fct” is set to “modulesadmin” and “op” is set to “confirm”) in modules/system/admin.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

3) Input passed to the “memberslist_id[]” POST parameter (when “fct” is set to “mailusers”) in modules/system/admin.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

The vulnerabilities are confirmed in version 2.5.0. Other versions may also be affected.

Solution

Edit the source code to ensure that input is properly sanitised.
Further details available in Customer Area

Provided and/or discovered by
Aung Khant, YGN Ethical Hacker Group

Original Advisory
http://yehg.net/lab/pr0js/advisories/%5Bxoops_2.5.0%5D_cross_site_scripting
http://xoops.org/modules/news/article.php?storyid=5851

Source Advisory
http://secunia.com/advisories/43805/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s