('binary' encoding is not supported, stored as-is) +/--------\-------- ALPER Research Labs ------/--------/+
+/---------\------- Security Advisory -----/---------/+
+/----------\------ ID: ARL02-A12 ----/----------/+
+/-----------\----- salperolympos.org ---/-----------/+


Advisory Information
--------------------
Name : php(Reactor) Cross Site Scripting Vulnerability
Software Package : php(Reactor)
Vendor Homepage : http://phpreactor.org/
Vulnerable Versions: v1.2.7 and older
Platforms : OS Independent, PHP
Vulnerability Type : Input Validation Error
Vendor Contacted : 15/05/2002
Vendor Replied : 15/05/2002
Prior Problems : N/A
Current Version : v1.2.7pl1 (immune)


Summary
-------
php(Reactor) is a set of integrated applications
focusing on user interaction. Included are articles,
content management, bbs/forums, polls, ecards, and
chat events. Administration is quick and easy with
a browser-based control panel.

A Cross Site Scripting vulnerability exists in
php(Reactor). This would allow a remote attacker
to send information to victims from untrusted web
servers, and make it look as if the information
came from the legitimate server.


Details
-------
The "browse.php", in the "comments" section does not
filter user input for $go variable. So any user may
craft a malicious link, and can gain information about
users, and even may get the login information of the
administrator.

Here's the proof-of-concept link example;
http://[target]/comments/browse.php?fid=2&tid=4&go=<script>alert
(document.cookie)</script>

Note that, the $fid and $tid variables should be integers.


Solution
--------
The vendor replied quickly, and has released a new version
on 28/05/2002, which can be downloaded at
http://sourceforge.net/project/showfiles.php?
group_id=12105&release_id=91877


Credits
-------
Discovered on 15, May, 2002 by
Ahmet Sabri ALPER <salperolympos.org>
ALPER Research Labs.


References
----------
Product Web Page: http://www.phpreactor.org/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]