XFileSharing Pro - [BUG] Cross Site Scripting Two found [FIXED]

Message
Author
spyer
Posts: 28
Joined: Mar 27, 2008 9:53 am

[BUG] Cross Site Scripting Two found [FIXED]

#1 Postby spyer » May 02, 2008 2:53 pm

when you send a message from the contact system.. you'll be redirected to the main page with a message to tell you whether it was a success or failure.

the url is like this http://website.com/?msg=Message sent successfully

but anyone can come and change "Message sent successfully" to whatever they want.

try this... SORRY EZYFILE :)

Code: Select all

http://www.ezyfile.net/?msg=%3Cscript%3Ealert(%22CROSS SITE SCRIPTING%22)%3C/script%3E
also when sending reports

i'll post them here

Code: Select all

LINE: 446 $ses->redirect("$c->{site_url}/?msg=Message sent successfully");
LINE: 1581 $ses->redirect("$c->{site_url}/?msg=Report sent successfully");
Thank you
Last edited by spyer on May 06, 2008 4:30 pm, edited 3 times in total.

Namaless
Posts: 107
Joined: Apr 20, 2008 12:10 pm

#2 Postby Namaless » May 03, 2008 10:50 am

WOW!
Please change title to "[BUG] XSS Message Sent" for major identification about problem.

Regards.

User avatar
PilgrimX182
Posts: 2186
Joined: Mar 22, 2006 1:39 pm

#3 Postby PilgrimX182 » May 03, 2008 12:43 pm

Sorry guys, we have holidays over here, will fix everything on Monday.
But to quickly fix this "?msg=" you can add this to the end of "sub new" function in Session.pm:

Code: Select all

$self->f->{msg}=~s/[\<\>\"]+//g;

Namaless
Posts: 107
Joined: Apr 20, 2008 12:10 pm

#4 Postby Namaless » May 03, 2008 2:04 pm

PilgrimX182 wrote:Sorry guys, we have holidays over here, will fix everything on Monday.
But to quickly fix this "?msg=" you can add this to the end of "sub new" function in Session.pm:

Code: Select all

$self->f->{msg}=~s/[\<\>"]+//g;
I have tryed to edit this file, but I view crypted.. is possible to have a file fixed?

Regards.

spyer
Posts: 28
Joined: Mar 27, 2008 9:53 am

#5 Postby spyer » May 03, 2008 3:45 pm

i've tried adding the code Pilgrim wrote and it didn't work as it should.. i always get an error...
I encrypted the code so it become hopefully correct :)

Code: Select all

$frys+>s+>{zft}&=&~f/[\<\>\"]+//t;
but i've had some issues with it...

i added it in the [sub new] function as you said Pilgrim

so this is the final results

Code: Select all

$frys+>vavgPTV();
$frys+>{nhgu_pbbx}='ksff';
$frys+>s+>{zft}&=&~f/[\<\>\"]+//t;
erghea&$frys;
i've added it in line 20... now no message is sent when you try "?msg=whatever"

you get this number [4294967295] on all pages some green color some brown.

when you add this

Code: Select all

$frys+>s+>{zft}&=&//;
nothing come up.. also "?msg=" don't work at all


what do you think people?

spyer
Posts: 28
Joined: Mar 27, 2008 9:53 am

#6 Postby spyer » May 03, 2008 5:08 pm

i think i've got a solution,, i don't know if Pilgrim agree or not...

to replace

Code: Select all

LINE: 446 $ses->redirect("$c->{site_url}/?msg=Message sent successfully");
LINE: 1581 $ses->redirect("$c->{site_url}/?msg=Report sent successfully"); 
with

Code: Select all

LINE: 446 $f->{msg}.="Message sent successfully";
LINE: 1581 $f->{msg}.="Report sent successfully"; 
and mark the old line or remove it.. and if you ever need it you can find it here.... i've tested it and it works fine :)

Namaless
Posts: 107
Joined: Apr 20, 2008 12:10 pm

#7 Postby Namaless » May 03, 2008 5:10 pm

spyer wrote:i think i've got a solution,, i don't know if Pilgrim agree or not...

to replace

Code: Select all

LINE: 446 $ses->redirect("$c->{site_url}/?msg=Message sent successfully");
LINE: 1581 $ses->redirect("$c->{site_url}/?msg=Report sent successfully"); 
with

Code: Select all

LINE: 446 $f->{msg}.="Message sent successfully";
LINE: 1581 $f->{msg}.="Report sent successfully"; 
and mark the old line or remove it.. and if you ever need it you can find it here.... i've tested it and it works fine :)
Is possible to get a file?

Regards.

spyer
Posts: 28
Joined: Mar 27, 2008 9:53 am

#8 Postby spyer » May 03, 2008 5:12 pm

what do you mean?

EDIT: the file is [index.cgi]

Namaless
Posts: 107
Joined: Apr 20, 2008 12:10 pm

#9 Postby Namaless » May 05, 2008 7:07 am

spyer wrote:what do you mean?

EDIT: the file is [index.cgi]
LOL!
All right, tomorrow search this lines into a files..

Regards.

User avatar
PilgrimX182
Posts: 2186
Joined: Mar 22, 2006 1:39 pm

#10 Postby PilgrimX182 » May 05, 2008 9:23 am

Fixed msg vulnerability. Download latest ZIP from Client Area.
Also implemented Export files feature.
Also fixed e-mail sending.

User avatar
PilgrimX182
Posts: 2186
Joined: Mar 22, 2006 1:39 pm

#11 Postby PilgrimX182 » May 05, 2008 9:26 am

2spyer: your solution is good, but I specially now use redirects instead to avoid dupe emails when user press F5 multiple times.

spyer
Posts: 28
Joined: Mar 27, 2008 9:53 am

#12 Postby spyer » May 05, 2008 11:31 am

PilgrimX182 wrote:2spyer: your solution is good, but I specially now use redirects instead to avoid dupe emails when user press F5 multiple times.
Roger that :)

thx :)

User avatar
PilgrimX182
Posts: 2186
Joined: Mar 22, 2006 1:39 pm

#13 Postby PilgrimX182 » May 05, 2008 1:13 pm

Hehe, just made some extra XSS vulnerabilities research, found some good ones :) Try to add <h1> inside link for Link Checker :)
To avoid future XSS problems I'm now escaping "<>" symbols for all input variables.
It's inside Session.pm in latest ZIP.

P.S.: and don't play with Session.pm, it's under voodoo curse :)

Namaless
Posts: 107
Joined: Apr 20, 2008 12:10 pm

#14 Postby Namaless » May 05, 2008 1:21 pm

Thanks for export features..

Regards.

spyer
Posts: 28
Joined: Mar 27, 2008 9:53 am

#15 Postby spyer » May 05, 2008 5:03 pm

PilgrimX182 wrote:Hehe, just made some extra XSS vulnerabilities research, found some good ones :) Try to add <h1> inside link for Link Checker :)
To avoid future XSS problems I'm now escaping "<>" symbols for all input variables.
It's inside Session.pm in latest ZIP.

P.S.: and don't play with Session.pm, it's under voodoo curse :)

lolz


can you tell us the line number? coz it's all encrypted code