what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

WiKID wClient-PHP 3.0-2 Cross Site Scripting

WiKID wClient-PHP 3.0-2 Cross Site Scripting
Posted Apr 11, 2008
Authored by Francesco Ongaro, Antonio Parata | Site ictsc.it

WiKID wClient-PHP versions 3.0-2 and below suffer from multiple cross site scripting vulnerabilities.

tags | advisory, php, vulnerability, xss
SHA-256 | 67d10cd0b31c2647b3ef2d33f5dd1920c1101c3453e62e3516e332f15ae75f08

WiKID wClient-PHP 3.0-2 Cross Site Scripting

Change Mirror Download
WiKID wClient-PHP <= 3.0-2 Multiple XSS Vulnerabilities

Name Multiple Vulnerabilities in wClient-PHP
Systems Affected wClient-PHP 3.0-2 and earlier versions
Severity Medium
Impact (CVSSv2) Medium (5/10, vector: AV:N/AC:L/Au:N/C:C/I:N/A:N)
Vendor http://www.wikidsystems.com/
Advisory http://www.ush.it/team/ush/hack-wclient/wikid.txt
Author Francesco "ascii" Ongaro (ascii AT ush DOT it)
Antonio "s4tan" Parata (s4tan AT ush DOT it)
Date 20080411

I. BACKGROUND

From the WiKID website: "The WiKID Strong Authentication System is a
dual-source, software-based two-factor authentication system designed
to be less expensive and more extensible than hardware tokens."

II. DESCRIPTION

In the wClient-PHP package PHP_SELF is echoed back to the client
without proper sanitization leading to XSS issues.

WiKID mantainers have released a new version of the software (3.0-3)
that fixes exposed vulnerabilities and can be downloaded from the url:

http://www.wikidsystems.com/downloads/network-clients

Users that based their implementations on the code contained in
sample.php are advised to upgrade.

III. ANALYSIS

During a review of the wClient-PHP-3.0-1.tar.gz package (an additional
component of WiKID with network client functions) the following
vulnerabilities were identified in the sample code:

file sample.php, line 251: PHP_SELF insecure usage leads to XSS

<form action="<?php echo $PHP_SELF ?>" method="POST" >

file sample.php, line 269: PHP_SELF insecure usage leads to XSS

<form action="<?php echo $PHP_SELF ?>" method="POST" >

file sample.php, line 279: PHP_SELF insecure usage leads to XSS

<form action="<?php echo $PHP_SELF ?>" method="POST" >

file sample.php, line 292: possible PHP_SELF insecure usage leads to XSS

<form action="<?php echo $PHP_SELF ?>" method="POST" >

This one was not verified since it's not enabled in the version I have
downloaded but probably it's exploitable in the exact same way as
the other ones.

file sample.php, line 306: PHP_SELF insecure usage leads to XSS

<form action="<?php echo $PHP_SELF ?>" method="POST" >

$PHP_SELF can be exploited by requesting an URL like file.php/<XSS>.

Note: On recent PHP versions $PHP_SELF should be $_SERVER['PHP_SELF'].

In case of register_globals=On on recent versions where the variable
is undefined it's possible to override it by issuing PHP_SELF with
the wished value in GPC (GET, POST, COOKIE).

On old version of PHP it's possible to drive the value of PHP_SELF by
GLOBALS poisoning [1].

Version 3.0-2 fix $PHP_SELF instances to $_SERVER['PHP_SELF'], users
are strongly advised to do not use this version as it doesn't correctly
fix presented vulnerabilities and is more exploitable than 3.0-1.

An attacker can steal UserID, Passcode, Domain code and Registration
code before they are sent back to the server itself and potentially
poison the navigation of the user and steal other sensitive informations
via social engineering (injecting additional fields in the form or
showing "additional functions" to the user) abusing user's trust.

Remediation consists in proper escaping the user controlled inputs.

[1] http://www.ush.it/2006/01/25/php5-globals-vulnerability/

VII. CVE INFORMATION

No CVE at this time.

VIII. DISCLOSURE TIMELINE

20080320 Bug discovered
20080320 Vendor contacted
20080411 Advisory released

IX. CREDIT

Francesco "ascii" Ongaro and Antonio "s4tan" Parata are credited with
the discovery of this vulnerability.

Francesco "ascii" Ongaro
web site: http://www.ush.it/
mail: ascii AT ush DOT it

Antonio "s4tan" Parata
web site: http://www.ictsc.it/
mail: s4tan AT ictsc DOT it, s4tan AT ush DOT it

X. LEGAL NOTICES

Copyright (c) 2008 Francesco "ascii" Ongaro

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email me for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close