XOOPS MyTextSanitizer CSS 1.3x & 2.x

2007.10.23
Credit: Doxical & Magistrat
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2003-1453
CWE: N/A


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Author: Doxical & Magistrat http://www.blocus-zone.com Date: 25/04/2003 Object: XOOPS MyTextSanitizer Filtering Bug Allows Remote Users to Conduct Cross-Site Scripting Attacks in many modules: News, newbb, private messages, signatures etc... Impact: Disclosure of authentication information, Execution of arbitrary code via network, Modification of user information, admin account hijacking. Fix: yes introduction After glossary and gallery modules of xoops, we have found an another vulnerability in MytextSanitizer function who permit somme CSS injection in xoops versions 1.3.x to 2.x Description of the MyTextSanitizer script : This is just the function on xoops who filters the unauthorized characters or malicious scripts. The vulnerability : A remote user can bypass Sanitizer and conduct cross-site scripting attacks with a post in a topic in board (newbb) send malicious private message to admin, insert script in the news comment... Example : java script:alert%28document.cookie%29 with img tags History: -the team of xoops.org was prevented on 04/21/2003 -Patch are now available since 04/25/2003 Regards


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top