Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Cross-site-scripting bug in WebSight

Cross-site-scripting bug in WebSight

by Nikola Strahija on March 25th, 2002 WebSight is a portal/directory system in the same vein as the Open Directory Project, Yahoo! or any of the ther big webportals. Originally created as the portal/directory system or the Electronic Music World website, now available as open source. Unfortunately the script does not check for any malicious code, so it is possible to use cross-side-scripting to get an admin account.


More details
- ------------
When a user submits a new link (for approving by an admin), none of the
inputs is checked for malicious code. So a possible blackhat is able to
insert some javascript stuff here, which is executed when an admin
checks the submitted data.



Proof-of-concept
- ----------------
Enter the following as website name when submitting a new link (one line):


Examplebad=window.open("http://example.com/portal/administration/
userman.php?uname=black&newpass=hat&submituser=ok", "bad",
"width=1,height=1");bad.close();


This will open a small popup when the admin checks the new submitting
which is closed directly after opening. After checking the new
submitting, a new admin named "black" with password "hat" is generated,
so the blackhat can easily login as an admin and do everything he wants to.



Temporary-fix
- -------------
Admins could disable Javascript but because there are still other
possiblilities to enter malicious code, this will only stop this
proof-of-concept from working.



Fix
- ---
Use version 0.1.1 or later.



Security-Risk
- -------------
The author claims the software being beta and not for using in
production enviroments. On the other hand it is used at (and developed
for) http://portal.electronicmusicworld.com, so we decide to rate the
risk medium - high.



Vendor status
- -------------
The author reacted in a very deserving way. After less than 10 hours
there is a new version avaiable which filters mailicious code now.



Disclaimer
- ----------
All information that can be found in this advisory is believed to be
true, but maybe it isn't. ppp-design can not be held responsible for the
use or missuse of this information. Redistribution of this text is only
permitted if the text has not been altered and the original author
ppp-design (http://www.ppp-design.de) is mentioned.


This advisory can be found online at:
http://www.ppp-design.de/advisories.php



- --
ppp-design
http://www.ppp-design.de
Public-Key: http://www.ppp-design.de/pgp/ppp-design.asc
Fingerprint: 5B02 0AD7 A176 3A4F CE22 745D 0D78 7B60 B3B5 451A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »