eTicket v.1.5.1.1 Multiple Cross-Site Scripting<br><br>Author: Attila Gerendi (Darkz)<br>
Date: June 29, 2007<br>
Package: eTicket (<a href="http://eticket.sourceforge.net/">http://eticket.sourceforge.net/</a>)<br>
Versions Affected: v.1.5.1.1 (Other versions may also be affected)<br>
Severity: XSS<br><br>Input
passed to "$_SERVER['REQUEST_URI']" in various scrips and includes is
not properly sanitised before being used. This can be exploited to
insert arbitrary HTML and script code, which is executed in a user's
browser session in context of an affected site when malicious data is
viewed.<br><br>Vulnerable code pieces:<br><br>user_login.php on line 7:<br><form action="<?=$_SERVER['REQUEST_URI']?>" method="post" name="user_login"><br><br>admin_login.php on line 7:
<br>"<form action="<?=$_SERVER['REQUEST_URI']?>" method="post" name="admin_login">"<br><br>user_group.php on line 15:<br><form action="<?=$_SERVER['REQUEST_URI']?>" method="post">
<br><br>rep.php on line 15: <br><form action="<?=$_SERVER['REQUEST_URI']?>" method="post"><br><br>pref.php on line 15:<br><form action="<?=$_SERVER['REQUEST_URI']?>" method="post">
<br><br>my.php on line 15:<br><form action="<?=$_SERVER['REQUEST_URI']?>" method="post"><br><br>main.php on line 216:<br><form action="<?=$_SERVER['REQUEST_URI']?>" method="POST">
<br><br>mail.php on line 16:<br><form action="<?=$_SERVER['REQUEST_URI']?>" method="post"><br><br>cat.php on line 16:<br><form action="<?=$_SERVER['REQUEST_URI']?>" method="post">
<br><br>banlist_delete.php on line 13:<br><form action="<?=$_SERVER['REQUEST_URI']?>" method="post"><br><br>banlist_delete.php on line 43:<br><a href="<?=$_SERVER['REQUEST_URI']?>"><?=LANG_BACK_TO_LIST?></a>
<br><br>banlist_addedit.php on line 27:<br><form name="form" action="<?=$_SERVER['REQUEST_URI']?>" method="post" onsubmit="return validateForm(this);"><br><br>banlist_addedit.php on line 40:
<br><a href="<?=$_SERVER['REQUEST_URI']?>"><?=LANG_BACK_TO_LIST?></a><br><br>banlist.php on line 41:<br><form action="<?=$_SERVER['REQUEST_URI']?>" name="banlist">
<br><br>searc_form.php<br><br>$surl=$_SERVER['PHP_SELF'].'?s='.$news;<br>$qs=preg_replace('/s=(basic|advanced)/', '', $_SERVER['QUERY_STRING']);<br>if ($qs != '') { $surl.=(substr($qs, 0, 1) == '&')?$qs:"&amp;$qs"; }
<br><br>?><br> <input type="submit" name="search_submit" class="inputsubmit" value="<?=LANG_SEARCH?>"><br> [<a href="<?=$surl?>"><?=$stext?></a>]
<br><br>
Status:<br>1.
Contacted the author at June 29, 2007 via sourceforge tracker
(<a href="https://sourceforge.net/tracker/?func=detail&atid=725721&aid=1745220&group_id=132967">https://sourceforge.net/tracker/?func=detail&atid=725721&aid=1745220&group_id=132967</a>).<br>2. The author concluded
<tt>"</tt>I am not happy that this is a real bug, and therefore will be closed until <tt><tt>further notice.</tt></tt>"<br>3. After more work around on July 02 2007 the svn version was fixed.<br><br>
Solution:<br>-edit the source code to ensure the input is properly sanitized.