#169 wapity found XSS in login.php

v_2.3
closed-fixed
nobody
Core (82)
5
2009-12-06
2009-11-29
Anonymous
No

Penetration tests with Wapity 1.6 found a XSS vulnerability in login.php. Site is running version 2.3. on https.
.
dani@danici:~$ wapiti https://postfixadmin-server/pfadm
Wapiti-1.1.6 (wapiti.sourceforge.net)
....
Attacking urls (GET)...
-----------------------

Attacking forms (POST)...
-------------------------
Found XSS in https://postfixadmin-server/pfadm/users/login.php
with params = lang=on&fUsername=%3Cscript%3Evar+wapiti_68747470733a2f2f6272756767652e7479646e65742e6f72672f706661646d2f75736572732f6c6f67696e2e706870_66557365726e616d65%3Dnew+Boolean%28%29%3B%3C%2Fscript%3E&fPassword=on&submit=Login
coming from https://postfixadmin-server/pfadm/users/login.php

Discussion

  • I just read the code and can't follow you. The only result I get is a message that my username or password is wrong (as expected), but the script tag is not included anywhere AFAIK.

    Can you give some details how to exploit this without using wapity?

     
  • GingerDog
    GingerDog
    2009-12-02

    Thanks for the bug report; we believe this has been fixed in subversion.

     
  • GingerDog
    GingerDog
    2009-12-02

    Hi,

    I'll agree this is a bug/security flaw. I had assumed that Smarty would have been configured to escape all output (i.e using something like htmlentities($data, ENT_QUOTES, 'uff-8'); but it hasn't been

    I've changed the inc.smarty.php file in revision 782

    And now I get the following :

    orange:~ $ wapiti http://orange/david/postfixadmin/trunk
    Wapiti-1.1.6 (wapiti.sourceforge.net)
    ....
    Attacking urls (GET)...
    -----------------------

    Attacking forms (POST)...
    -------------------------

    Looking for permanent XSS
    -------------------------

    Thanks for reporting this; and thanks for making me aware of wapiti - i hadn't come across it before :)

     
  • GingerDog
    GingerDog
    2009-12-02

    • status: open --> open-fixed
     
  • Charles
    Charles
    2009-12-02

    Question...

    This bug was reported against 2.3 - but 2.3 is NOT a smarty version...

    There WILL be NON-smarty 2.3.x bugfix releases, right?

     
  • GingerDog
    GingerDog
    2009-12-02

    Ah good point Charles; sorry I should have realised that.

    Patch to do this :
    Index: login.php
    ===================================================================
    --- login.php (revision 782)
    +++ login.php (working copy)
    @@ -65,7 +65,7 @@
    {
    $error = 1;
    $tMessage = '<span class="error_msg">' . $PALANG['pLogin_failed'] . '</span>';
    - $tUsername = $fUsername;
    + $tUsername = htmlentities($fUsername, ENT_QUOTES, 'UTF-8');
    }
    }
    else

    (See changeset 783)

     
  • Charles
    Charles
    2009-12-02

    Thanks!

    So... will there be ongoing bugfix releases for the 2.3 non-smarty version going forward? Or is the plan for 2.3.1 to be the first smarty based release?

     
  • IMHO a 2.3 bugfix release (non-smarty) makes sense - there have been some bugfixes since the release. However this is just my opinion - I'll bring up the topic on the -devel mailinglist.

     
    • status: open-fixed --> closed-fixed