#169 wapity found XSS in login.php

v_2.3
closed-fixed
nobody
Core (82)
5
2009-12-06
2009-11-29
Anonymous
No

Penetration tests with Wapity 1.6 found a XSS vulnerability in login.php. Site is running version 2.3. on https.
.
dani@danici:~$ wapiti https://postfixadmin-server/pfadm
Wapiti-1.1.6 (wapiti.sourceforge.net)
....
Attacking urls (GET)...
-----------------------

Attacking forms (POST)...
-------------------------
Found XSS in https://postfixadmin-server/pfadm/users/login.php
with params = lang=on&fUsername=%3Cscript%3Evar+wapiti_68747470733a2f2f6272756767652e7479646e65742e6f72672f706661646d2f75736572732f6c6f67696e2e706870_66557365726e616d65%3Dnew+Boolean%28%29%3B%3C%2Fscript%3E&fPassword=on&submit=Login
coming from https://postfixadmin-server/pfadm/users/login.php

Discussion

  • Christian Boltz

    Christian Boltz - 2009-11-29

    I just read the code and can't follow you. The only result I get is a message that my username or password is wrong (as expected), but the script tag is not included anywhere AFAIK.

    Can you give some details how to exploit this without using wapity?

     
  • GingerDog

    GingerDog - 2009-12-02

    Thanks for the bug report; we believe this has been fixed in subversion.

     
  • GingerDog

    GingerDog - 2009-12-02

    Hi,

    I'll agree this is a bug/security flaw. I had assumed that Smarty would have been configured to escape all output (i.e using something like htmlentities($data, ENT_QUOTES, 'uff-8'); but it hasn't been

    I've changed the inc.smarty.php file in revision 782

    And now I get the following :

    orange:~ $ wapiti http://orange/david/postfixadmin/trunk
    Wapiti-1.1.6 (wapiti.sourceforge.net)
    ....
    Attacking urls (GET)...
    -----------------------

    Attacking forms (POST)...
    -------------------------

    Looking for permanent XSS
    -------------------------

    Thanks for reporting this; and thanks for making me aware of wapiti - i hadn't come across it before :)

     
  • GingerDog

    GingerDog - 2009-12-02
    • status: open --> open-fixed
     
  • Charles

    Charles - 2009-12-02

    Question...

    This bug was reported against 2.3 - but 2.3 is NOT a smarty version...

    There WILL be NON-smarty 2.3.x bugfix releases, right?

     
  • GingerDog

    GingerDog - 2009-12-02

    Ah good point Charles; sorry I should have realised that.

    Patch to do this :
    Index: login.php
    ===================================================================
    --- login.php (revision 782)
    +++ login.php (working copy)
    @@ -65,7 +65,7 @@
    {
    $error = 1;
    $tMessage = '<span class="error_msg">' . $PALANG['pLogin_failed'] . '</span>';
    - $tUsername = $fUsername;
    + $tUsername = htmlentities($fUsername, ENT_QUOTES, 'UTF-8');
    }
    }
    else

    (See changeset 783)

     
  • Charles

    Charles - 2009-12-02

    Thanks!

    So... will there be ongoing bugfix releases for the 2.3 non-smarty version going forward? Or is the plan for 2.3.1 to be the first smarty based release?

     
  • Christian Boltz

    Christian Boltz - 2009-12-06

    IMHO a 2.3 bugfix release (non-smarty) makes sense - there have been some bugfixes since the release. However this is just my opinion - I'll bring up the topic on the -devel mailinglist.

     
  • Christian Boltz

    Christian Boltz - 2009-12-06
    • status: open-fixed --> closed-fixed
     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks