Security Advisory: [SNS Advisory No.85] XOOPS Multiple Cross-site Scripting Vulnerabilities

[EN] securityvulns.ru
no-pyccku

Related information
  Web applications security vulnerabilities (PHP, ASP, CGI, Perl, etc)
  File Including In PBLang
  [SA17333] phpESP Unspecified Cross-Site Scripting and SQL Injection
  [SA17353] gCards "limit" SQL Injection Vulnerability
  [Full-disclosure] Multiple vulnerabilities within RockLiffe MailSite Express WebMail

From: SNS <SNS>
Date: 26.10.2005
Subject: [SNS Advisory No.85] XOOPS Multiple Cross-site Scripting Vulnerabilities

----------------------------------------------------------------------
SNS Advisory No.85
XOOPS Multiple Cross-site Scripting Vulnerabilities

Problem first discovered on: Sun, 25 Sep 2005
Published on: Tue, 25 Oct 2005
----------------------------------------------------------------------

Severity Level:
---------------
Medium

Overview:
---------
Software XOOPS for building community websites contains multiple
cross-site scripting vulnerabilities.

Problem Description:
--------------------
XOOPS is software for building community websites written in PHP.

XOOPS is provided with the specific tag called "XOOPS Code" that allows
   to register text with font attributes or images without HTML tag for
modules including private message and forum.

Flaw exists in a part of sanitizing processes when converting "XOOPS
Code" into HTML tag. Therefore, it is possible to register text with
arbitrary script for "XOOPS Code" available modules.

In addition, another flaw also exists only for forum module(newbb) and
it makes possible to submit text including arbitrary script to a forum.

If the vulnerabilities are exploited, attacker's script might be
executed when displaying a private message or a submitted message for
the forum. In this incident, users might be suffered from session
hijack and the screen could be manipulated freely by attackers after
the users logging in.

Affected Versions:
------------------
XOOPS 2.0.12 JP and prior versions
XOOPS 2.0.13.1 and prior versions
XOOPS 2.2.3 RC1 and prior versions

Solution:
---------
The vulnerabilities can be fixed by updating the software to any
version later than XOOPS 2.0.13 JP.
http://xoopscube.jp/modules/documents/index.php?id=1

Discovered by:
--------------
Keigo Yamazaki (LAC)

Thanks to:
----------
This SNS Advisory is being published in coordination with Information-technology
Promotion Agency, Japan (IPA) and JPCERT/CC.

http://jvn.jp/jp/JVN%2377105349/index.html
http://www.ipa.go.jp/security/vuln/documents/2005/JVN_77105349_XOOPS.html

Disclaimer:
-----------
The information contained in this advisory may be revised without prior
notice and is provided as it is. Users shall take their own risk when
taking any actions following reading this advisory. LAC Co., Ltd.
shall take no responsibility for any problems, loss or damage caused
by, or by the use of information provided here.

This advisory can be found at the following URL:
http://www.lac.co.jp/business/sns/intelligence/SNSadvisory_e/85_e.html
----------------------------------------------------------------------