[ postfixadmin-Bugs-2905599 ] wapity found XSS in login.php
Brought to you by:
christian_boltz,
gingerdog
From: SourceForge.net <no...@so...> - 2009-12-02 17:26:49
|
Bugs item #2905599, was opened at 2009-11-29 05:39 Message generated for change (Comment added) made by libertytrek You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937964&aid=2905599&group_id=191583 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Core Group: v 2.3 Status: Open Resolution: Fixed Priority: 5 Private: No Submitted By: https://www.google.com/accounts () Assigned to: Nobody/Anonymous (nobody) Summary: wapity found XSS in login.php Initial Comment: Penetration tests with Wapity 1.6 found a XSS vulnerability in login.php. Site is running version 2.3. on https. . dani@danici:~$ wapiti https://postfixadmin-server/pfadm Wapiti-1.1.6 (wapiti.sourceforge.net) .... Attacking urls (GET)... ----------------------- Attacking forms (POST)... ------------------------- Found XSS in https://postfixadmin-server/pfadm/users/login.php with params = lang=on&fUsername=%3Cscript%3Evar+wapiti_68747470733a2f2f6272756767652e7479646e65742e6f72672f706661646d2f75736572732f6c6f67696e2e706870_66557365726e616d65%3Dnew+Boolean%28%29%3B%3C%2Fscript%3E&fPassword=on&submit=Login coming from https://postfixadmin-server/pfadm/users/login.php ---------------------------------------------------------------------- Comment By: Charles (libertytrek) Date: 2009-12-02 12:26 Message: Thanks! So... will there be ongoing bugfix releases for the 2.3 non-smarty version going forward? Or is the plan for 2.3.1 to be the first smarty based release? ---------------------------------------------------------------------- Comment By: GingerDog (gingerdog) Date: 2009-12-02 08:25 Message: Ah good point Charles; sorry I should have realised that. Patch to do this : Index: login.php =================================================================== --- login.php (revision 782) +++ login.php (working copy) @@ -65,7 +65,7 @@ { $error = 1; $tMessage = '<span class="error_msg">' . $PALANG['pLogin_failed'] . '</span>'; - $tUsername = $fUsername; + $tUsername = htmlentities($fUsername, ENT_QUOTES, 'UTF-8'); } } else (See changeset 783) ---------------------------------------------------------------------- Comment By: Charles (libertytrek) Date: 2009-12-02 06:56 Message: Question... This bug was reported against 2.3 - but 2.3 is NOT a smarty version... There WILL be NON-smarty 2.3.x bugfix releases, right? ---------------------------------------------------------------------- Comment By: GingerDog (gingerdog) Date: 2009-12-02 05:33 Message: Hi, I'll agree this is a bug/security flaw. I had assumed that Smarty would have been configured to escape all output (i.e using something like htmlentities($data, ENT_QUOTES, 'uff-8'); but it hasn't been I've changed the inc.smarty.php file in revision 782 And now I get the following : orange:~ $ wapiti http://orange/david/postfixadmin/trunk Wapiti-1.1.6 (wapiti.sourceforge.net) .... Attacking urls (GET)... ----------------------- Attacking forms (POST)... ------------------------- Looking for permanent XSS ------------------------- Thanks for reporting this; and thanks for making me aware of wapiti - i hadn't come across it before :) ---------------------------------------------------------------------- Comment By: GingerDog (gingerdog) Date: 2009-12-02 05:33 Message: Thanks for the bug report; we believe this has been fixed in subversion. ---------------------------------------------------------------------- Comment By: Christian Boltz (christian_boltz) Date: 2009-11-29 16:30 Message: I just read the code and can't follow you. The only result I get is a message that my username or password is wrong (as expected), but the script tag is not included anywhere AFAIK. Can you give some details how to exploit this without using wapity? ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937964&aid=2905599&group_id=191583 |