![[LWN Logo]](/images/lcorner.png) |
|
![[LWN.net]](/images/Included.png) |
From: Ahmet Sabri ALPER <s_alper@hotmail.com>
To: bugtraq@securityfocus.com
Subject: [ARL02-A10] News-TNK Cross Site Scripting Vulnerability
Date: 17 Mar 2002 01:01:36 -0000
+/--------\-------- ALPER Research Labs ------/--------/+
+/---------\------- Security Advisory -----/---------/+
+/----------\------ ID: ARL02-A10 ----/----------/+
+/-----------\----- salper@olympos.org ---/-----------/+
Advisory Information
--------------------
Name : News-TNK Cross Site Scripting
Vulnerability
Software Package : News-TNK
Vendor Homepage : http://www.linux-sottises.net/
Vulnerable Versions: v1.2.1 and older
Platforms : Linux
Vulnerability Type : Input Validation Error
Vendor Contacted : 15/03/2002
Vendor Replied : 15/03/2002
Prior Problems : N/A
Current Version : v1.2.2 (immune)
Summary
-------
News-TNK is script to submit, validate, unvalidate,
comment, delete news on a website. Available in
French and English at the present time.
A Cross Site Scripting vulnerability exists in
News-TNK. This would allow a remote attacker
to send information to victims from untrusted web
servers, and make it look as if the information
came from the legitimate server.
Details
-------
The URL's and the user input seem to be filtered
pretty good. But I guess that the coders have missed
a point. The "WEB" input when replying or creating
topics, is not filtered enough. So a Cross Site
Scripting vulnerability exists in News-TNK.
Example input for the "WEB" input
<script>alert("ALPERz was here!")</script>
After submitting this information, whenever anyone
browses the page where the news message is, the
malicious code will take effect.
Solution
--------
The vendor replied to my mail and released a new
version which is immune to this vulnerability very
quickly (on the same day :})
You may download the new version or use the
method suggested by me, and approved by the
vendor, if you have made any modifications to the
news applet.
Strip HTML tags, and possibly other malicious code
within "news_post.php" (or "news_post3.php).
I suggest the following as a workaround;
At the beginning of "news_post.php" add the lines
below;
# Patch Start
$web=strip_tags($web);
# Patch End
More info about the new version and patches can be
found at:
http://www.linux-sottises.net/software.php
Credits
-------
Discovered on 15, March, 2002 by
Ahmet Sabri ALPER
salper@olympos.org
http://www.olympos.org
References
----------
Product Web Page: http://www.linux-sottises.net/