Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:17398
HistoryJul 03, 2007 - 12:00 a.m.

eTicket v.1.5.1.1 Multiple Cross-Site Scripting

2007-07-0300:00:00
vulners.com
16
JSON

eTicket v.1.5.1.1 Multiple Cross-Site Scripting

Author: Attila Gerendi (Darkz)
Date: June 29, 2007
Package: eTicket (http://eticket.sourceforge.net/)
Versions Affected: v.1.5.1.1 (Other versions may also be affected)
Severity: XSS

Input passed to "$_SERVER['REQUEST_URI']" in various scrips and includes is not properly sanitised before
being used. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's
browser session in context of an affected site when malicious data is viewed.

Vulnerable code pieces:

user_login.php on line 7:
<form action="<?=$_SERVER['REQUEST_URI']?>" method="post" name="user_login">

admin_login.php on line 7:
"<form action="<?=$_SERVER['REQUEST_URI']?>" method="post" name="admin_login">"

user_group.php on line 15:
<form action="<?=$_SERVER['REQUEST_URI']?>" method="post">

rep.php on line 15:
<form action="<?=$_SERVER['REQUEST_URI']?>" method="post">

pref.php on line 15:
<form action="<?=$_SERVER['REQUEST_URI']?>" method="post">

my.php on line 15:
<form action="<?=$_SERVER['REQUEST_URI']?>" method="post">

main.php on line 216:
<form action="<?=$_SERVER['REQUEST_URI']?>" method="POST">

mail.php on line 16:
<form action="<?=$_SERVER['REQUEST_URI']?>" method="post">

cat.php on line 16:
<form action="<?=$_SERVER['REQUEST_URI']?>" method="post">

banlist_delete.php on line 13:
<form action="<?=$_SERVER['REQUEST_URI']?>" method="post">

banlist_delete.php on line 43:
<a href="<?=$_SERVER['REQUEST_URI']?>"><?=LANG_BACK_TO_LIST?></a>

banlist_addedit.php on line 27:
<form name="form" action="<?=$_SERVER['REQUEST_URI']?>" method="post" onsubmit="return
validateForm(this);">

banlist_addedit.php on line 40:
<a href="<?=$_SERVER['REQUEST_URI']?>"><?=LANG_BACK_TO_LIST?></a>

banlist.php on line 41:
<form action="<?=$_SERVER['REQUEST_URI']?>" name="banlist">

searc_form.php

$surl=$_SERVER['PHP_SELF'].'?s='.$news;
$qs=preg_replace('/s=(basic|advanced)/', '', $_SERVER['QUERY_STRING']);
if ($qs != '') { $surl.=(substr($qs, 0, 1) == '&')?$qs:"&amp;$qs"; }

?>
<input type="submit" name="search_submit" class="inputsubmit" value="<?=LANG_SEARCH?>">
[<a href="<?=$surl?>"><?=$stext?></a>]

Status:

  1. Contacted the author at June 29, 2007 via sourceforge tracker
    (https://sourceforge.net/tracker/?func=detail&amp;atid=725721&amp;aid=1745220&amp;group_id=132967&#41;.
  2. The author concluded "I am not happy that this is a real bug, and therefore will be closed until
    further notice."

Solution:
-edit the source code to ensure the input is properly sanitized.

JSON