Menu

#148 id parameter vulnerability

2.1.5
open-later
nobody
None
5
2010-01-17
2008-07-14
No

Hi! I found a vulnerability that may allow remote attackers to pass malicious input using an 'id' URI parameter in 'index.php' with the login block active in the Legacy root. Example:

Accessing this as anonymous:
http://localhost/index.php?id='www.xoopscube.com.br

...will result in:
<input type="hidden" name="xoops_redirect" value="/index.php?&amp;id=&#039;www.xoopscube.com.br" />

This vulnerability CAN be used to spamming, PROBABLY CAN be used in heavy XSS attacks, and MAYBE allow remote attackers to pass malicious input to database queries, resulting in modification of query logic or other attacks.

Discussion

  • minahito

    minahito - 2008-08-28
    • status: open --> open-works-for-me
     
  • minahito

    minahito - 2008-08-28

    Logged In: YES
    user_id=1102607
    Originator: NO

    Redirect URL is encoded and embedded to the form. How do you use this spec to attack others?

    And, even if we should not use xoops_redirect, what do you replace this with?

     
  • Mikhail Miguel

    Mikhail Miguel - 2008-09-04

    Logged In: YES
    user_id=64845
    Originator: YES

    I've fixed the bug. But, it needs confirming before closing.

     
  • minahito

    minahito - 2008-09-16

    > This problem is compounded with the way that system engines score a
    > website from the link structure. For example, files like:
    > /register.php
    > /user.php
    > /search.php
    > are POTENTIALLY very more important than a news like:
    > /modules/Xigg/index.php/node/1234

    That's impossible. There are many existing XOOPS Cube Legacy users. The simple URL needs the specific server setting. All users can not change from existing PHP setting to such a setting. Many compatibility will be lost. Instead of compatibilities, confusions will come here.

    I have a question. It seems that SEO problem. Is that bug? Should we fix this bug, even if we lost many compatibilities?

    Enhancements are very important. But, we need to discriminate between BUG and FEATURE-REQUEST. The purpose of Legacy is compatibility for X2. Is keeping compatibility with X2 is a bug?

    I think the simple URL is a homework for the next-gen BASE that is not Legacy.

    Do you have another solution that keeps compatibility with X2 and X2's modules?

     
  • minahito

    minahito - 2008-09-18

    [OFF-TOPIC]
    Hi Mikhail,

    I sent a mail to your mikhail at users.sourceforge.net, to ask you to join our development directly.

    Please, check your mailbox.

     
  • minahito

    minahito - 2010-01-17

    XCL 2.1.x can not fix this issue. But, XCL 2.2 can have some new mechanics, so the 2.2 may be able to fix this issue.

     
  • minahito

    minahito - 2010-01-17
    • status: open-works-for-me --> open-later
     

Log in to post a comment.