[Full-disclosure] XSS bug in JAWS gadget Glossary (0.4-latestbeta (beta 2))

nah at suckea.com nah at suckea.com
Tue Apr 19 01:51:13 BST 2005 

Small XSS Bug in JAWS gadget: Glossary all versions vulnerable 0.3 - 0.5 
latest beta (beta2)

STATUS: The vendor has been contacted and they fixed the bug but they 
havent released an official patch yet.
(You can find a provisional patch at the end of the file)

TECHNICAL INFO
================================================================
The Glossary gadget doesn't filter dangerous characters in the process of
adding a new word to the glossary, allowing the instertion of items
from "<script>alert(document.cookie)</script> to more complex code". 
Futhermore, the theft
of cookies and escalade of permissions ( in the case of someone with 
lower access than you inserts malicious code and tries to steal your 
access )

VULNERABLE VERSIONS
- --------------------------------------------------------------
0.4-LATEST BETA (2)

FIX
------------------------------------------------------------------
 
Replace the NewTerm function in GlossaryModel.php
for this new one.

/**
        * Adds a new term
        *
        * @acess   public
        * @param   string  $term Term
        * @param   string  $desc Term's description
        * @return  boolean Returns true if term was added
        */
       function NewTerm ($term, $desc)
       {
               //xss fix
               if(stristr($term, "<") || stristr($term, ">"))
                       $term = strip_tags($term);
               if(stristr($desc, "<") || stristr($desc, ">"))
                       $desc = strip_tags($desc);

               $sql = "INSERT INTO [[term]] (term, description, 
createtime, updatetime)
               VALUES ({term},{desc},NOW(),NOW())";
               $rs = $GLOBALS["app"]->DB->Execute ($sql, array ("term" 
=> $term,
                                                                                                                
"desc" => $desc));

               if ($rs) {
                       $GLOBALS["session"]->PushLastResponse 
(_t("GLOSSARY_TERM_ADDED"),
RESPONSE_NOTICE);
                       return true;
               } else {
                       $GLOBALS["session"]->PushLastResponse
(_t("GLOSSARY_ERROR_TERM_NOT_CREATED"), RESPONSE_ERROR);
                       return new JawsError 
(_t("GLOSSARY_ERROR_TERM_NOT_CREATED"),
_t("GLOSSARY_NAME"));
               }
       }

----------------------------------------------------------
Contact information
:Paulino Calderon
:nah at suckea.com
:http://suckea.com/nah/

Full-Disclosure is hosted and sponsored by Secunia.