Cross-Site Scripting (XSS) Vulnerabilities

Character –Cross Site Scripting

Details

Affected Software:PhotoSmash

Fixed in Version:1.0.5

Issue Type:Cross Site Scripting (XSS)

Description

Once again,we see the familiar pattern of the developer taking user/attacker controlled values and using those values to build HTML markup. Line 76 is the start of a large echo statement which writes a couple input fields to markup. The developer uses the $_REQUEST[‘bwbps_galname’] variable to populate the value attribute for one of the input form fields. Although not completely clear from the code snippet,the developers addressed this issue by placing an encoded version of $_REQUEST[‘bwbps_galname’] into a variable named $gallery_name and using the newly encoded value to build the HTML markup.

Although not addressed by this patch,there are a couple of areas that deserve deeper inspection. For example,on line 113 the application is calling a javascript eval on an unknown function. If this function contains user/attacker supplied content,this could result in XSS. Additionally,on line 136 it seems the user/attacker has some influence on variables passed to a SWF object. If the SWF doesn’t have the appropriate logic to handle the tainted data,this could result in a security vulnerability.

Developers Solution

<?php...snip...//Get a link for the Start Slideshow for PicLensfunction getPicLensLink($g,$atts){if($atts['link_text']){$link_text = $atts['link_text']} else{$link_text = 'Start Slideshow <img src="http://lite.piclens.com/images/PicLensButton.png"alt="PicLens"width="16"height="12"border="0"align="absmiddle">'}$picatts['id'] = $g['gallery_id'];$picatts['thumb_width'] = $g['thumb_width'];$picatts['thumb_height'] = $g['thumb_height'];$picatts['gallery_type'] = $g['gallery_type'];$picatts['images'] = $g['images'];$picatts['page'] = $g['page'];if($g['tags'] == 'post_tags'){$picatts['tags'] = $this->getPostTags(0)} else{$picatts['tags'] = $g['tags']}$param_array = $this->filterMRSSAttsFromArray($picatts,"");if( is_array($param_array)){$params = implode("&",$param_array);//$params = urlencode($params)}$ret = '<a class="piclenselink"href="javascript:PicLensLite.start({feedUrl:\''. plugins_url() . '/photosmash-galleries/bwbps-media-rss.php?'. $params . '\'});">' . $link_text . ' </a>';return $ret}function getPostTags($post_id){if(!$post_id ){global $wp_query;$post_id = $wp_query->post->ID}$terms = wp_get_object_terms( $post_id,'post_tag',$args ) ;if(is_array($terms)){foreach( $terms as $term ){$_terms[] = $term->name}unset($terms);if( is_array($_terms)){$ret = implode(",",$_terms)} else{$ret = ""}}return $ret}function mediaUAddGalleryFieldToMediaUploader(){if(isset($_REQUEST['bwbps_galid']) &&(int)$_REQUEST['bwbps_galid']){echo "<input type='hidden' id='bwbps_mediau_galid' name='bwbps_mediau_galid' value='". (int)$_REQUEST['bwbps_galid'] . "' /><input type='hidden' id='bwbps_galid' name='bwbps_galid' value='". (int)$_REQUEST['bwbps_galid'] . "' />-<input type='hidden' name='bwbps_galname' value='". $_REQUEST['bwbps_galname'] . "' />-<div style='background-color:#eaffdf;padding:5px;border:1px solid #a0a0a0;margin:3px;font-size:14px;color:#333;'>Adding to PhotoSmash:". $_REQUEST['bwbps_galname'] . "</div>+<input type='hidden' name='bwbps_galname' value='". $gallery_name . "' />+<div style='background-color:#eaffdf;padding:5px;border:1px solid #a0a0a0;margin:3px;font-size:14px;color:#333;'>Adding to PhotoSmash:". $gallery_name . "</div>"} else{$gid = isset($_REQUEST['bwbps_mediau_galid']) ? (int)$_REQUEST['bwbps_mediau_galid']:0;$galleryDDL = $this->getGalleryDDL($gid,"select gallery","","bwbps_mediau_galid",30,true,true);echo "<div style='padding:5px;margin:3px;font-size:14px;color:#333;'>Add to PhotoSmash:$galleryDDL</div>"}}function mediaUAddGalleryFieldToFlashUploader(){?><script type="text/javascript">if (typeof flashStartUploadFunctions == 'undefined'){var flashStartUploadFunctions = [];function addFlashStartUploadFunction( funct_name ){flashStartUploadFunctions.push( funct_name )}function runFlashStartUploadFunctions(){if( flashStartUploadFunctions.length >0 ){var bwbfunc;for( bwbfunc in flashStartUploadFunctions){eval(flashStartUploadFunctions[ bwbfunc ])}}}}addFlashStartUploadFunction( 'bwbpsAddGalleryToFlashUploader();' );jQuery(window).load( function(){swfu.settings.upload_start_handler = function(){runFlashStartUploadFunctions()}});function bwbpsAddGalleryToFlashUploader(){jQuery('#bwbps_uploaded_images',top.document).show().append('<h4>Flash upload...preview not available.</h4>');var gid = jQuery("#bwbps_mediau_galid_flash").val() + "";if( gid ){swfu.addPostParam('bwbps_mediau_galid',gid);<?phpif(isset($_REQUEST['bwbps_galid']) ){?>swfu.addPostParam('bwbps_galid',gid);<?php}?>}}</script><?phpif(isset($_REQUEST['bwbps_galid']) &&(int)$_REQUEST['bwbps_galid']){$this->count++;echo "<script type='text/javascript'>jQuery(window).load( function(){//Hide the other Media TabsjQuery('#tab-type_url').hide();jQuery('#tab-library').hide();";...snip...?>

Reasoning –Cross Site Scripting

Details

Affected Software:FreePBX

Fixed in Version:2.9

Issue Type:Cross Site Scripting (XSS)

Original Code:Found Here

Description

To be honest,I was a little confused by this week’s patch. There are several XSS bugs in this code. Originally,the vulnerable code would take a tainted $_REQUEST value (a value from a GET,POST,or cookie) and assign the tainted value to a couple of different PHP variables ($description and $notes in particular). The application then uses of these tainted values on lines 136 and 140,resulting in XSS. The developer addressed these XSS issues by html encoding the $_REQUEST values before assigning them to PHP variables. In the code mentioned above,the developer decided to encode/sanitize at the point of assignment (as opposed to the point of consumption). There are differing perspectives as to whether one should encode/sanitize upon assignment or consumption,but the truth is both methods work.

What’s confusing is the code sample contains many symptoms that are exactly like the vulnerable code patched by this security patch. $type,$action,$old_custom_dest,and $custom_dest are all set in exactly the same way the patched assignments were. For some reason,the developer chose to ignore these assignments even though they are only a few lines away. Also,instead of encoding at the point of assignment (like they did for $description and $notes),the developer chose to change styles and encode at the point of consumption for one of the tainted variables (see line 96 and 97). What’s even more confusing is only 4 lines later,we see the developer missed the same tainted variable used in an echo and failed to encode the tainted $custom_dest variable resulting in XSS. Lines 77 – 79 also contain XSS vulnerabilities that were missed in this patch.

Developers Solution

<?php$tabindex = 0;$display = 'customdests';$type  = isset($_REQUEST['type']) ? $_REQUEST['type']:'tool';$action = isset($_REQUEST['action']) ? $_REQUEST['action']:'';if (isset($_REQUEST['delete'])) $action = 'delete';$old_custom_dest = isset($_REQUEST['old_custom_dest']) ? $_REQUEST['old_custom_dest']:'';$custom_dest = isset($_REQUEST['extdisplay']) ? $_REQUEST['extdisplay']:'';-$description = isset($_REQUEST['description']) ? $_REQUEST['description']:'';-$notes  = isset($_REQUEST['notes']) ? $_REQUEST['notes']:'';+$description = isset($_REQUEST['description']) ? htmlentities($_REQUEST['description']):'';+$notes  = isset($_REQUEST['notes']) ? htmlentities($_REQUEST['notes']):'';switch ($action){case 'add':if (customappsreg_customdests_add($custom_dest,$description,$notes)){needreload();redirect_standard()} else{$custom_dest=''}break;case 'edit':if (customappsreg_customdests_edit($old_custom_dest,$custom_dest,$description,$notes)){needreload();redirect_standard('extdisplay')}break;case 'delete':customappsreg_customdests_delete($custom_dest);needreload();redirect_standard();break}?></div><div class="rnav"><ul><?php echo '<li><a href="config.php?display='.$display.'&amp;type='.$type.'">'._('Add Custom Destination').'</a></li>';foreach (customappsreg_customdests_list() as $row){$descr = $row['description'] != '' ? $row['description']:'('.$row['custom_dest'].')';echo '<li><a href="config.php?display='.$display.'&amp;type='.$type.'&amp;extdisplay='.$row['custom_dest'].'"class="">'.$descr.'</a></li>'}?></ul></div><div class="content"><?phpif ($custom_dest != ''){// load$usage_list = framework_display_destination_usage(customappsreg_customdests_getdest($custom_dest));$row = customappsreg_customdests_get($custom_dest);$description = $row['description'];$notes  = $row['notes'];$disp_description = $row['description'] != '' ? $row['description']:'('.$row['custom_dest'].')';echo "<h2>"._("Edit:")."$disp_description"."</h2>"} else{echo "<h2>"._("Add Custom Destination")."</h2>"}$helptext = _("Custom Destinations allows you to register your custom destinations that point to custom dialplans and will also 'publish' these destinations as available destinations to other modules. This is an advanced feature and should only be used by knowledgeable users. If you are getting warnings or errors in the notification panel about CUSTOM destinations that are correct,you should include them here. The 'Unknown Destinations' chooser will allow you to choose and insert any such destinations that the registry is not aware of into the Custom Destination field.");echo $helptext;?><form name="editCustomDest"action="<?php $_SERVER['PHP_SELF'] ?>"method="post"onsubmit="return checkCustomDest(editCustomDest);"><input type="hidden"name="extdisplay"value="<?php echo $custom_dest;?>"><input type="hidden"name="old_custom_dest"value="<?php echo $custom_dest;?>"><input type="hidden"name="action"value="<?php echo ($custom_dest != '' ? 'edit':'add');?>"><table><tr><td colspan="2"><h5><?php echo ($custom_dest ? _("Edit Custom Destination"):_("Add Custom Destination")) ?><hr></h5></td></tr><tr><td><a href="#"class="info"><?php echo _("Custom Destination")?>:<span><?phpecho _("This is the Custom Destination to be published. It should be formatted exactly as you would put it in a goto statement,with context,exten,priority all included. An example might look like:<br />mycustom-app,s,1");if (!empty($usage_list)){echo "<br />"._("READONLY WARNING:Because this destination is being used by other module objects it can not be edited. You must remove those dependencies in order to edit this destination,or create a new destination to use")}?></span></a></td><?phpif (!empty($usage_list)){?>-<td><b><?php echo $custom_dest;?></b></td>+  <td><b><?php echo htmlentities($custom_dest);?></b></td><?php} else{?><td><input size="30"type="text"name="extdisplay"id="extdisplay"value="<?php echo $custom_dest;?>"tabindex="<?php echo ++$tabindex;?>"></td><?php}?></tr><?phpif (empty($usage_list)){?><tr><td><a href=# class="info"><?php echo _("Destination Quick Pick")?><span><?php echo _("Choose un-identified destinations on your system to add to the Custom Destination Registry. This will insert the chosen entry into the Custom Destination box above.")?></span></a></td><td><select onChange="insertDest();"id="insdest"tabindex="<?php echo ++$tabindex;?>"><option value=""><?php echo _("(pick destination)")?></option><?php$results = customappsreg_customdests_getunknown();foreach ($results as $thisdest){echo "<option value='$thisdest'>$thisdest</option>\n"}?></select></td></tr><?php}?><tr><td><a href="#"class="info"><?php echo _("Description")?>:<span><?php echo _("Brief Description that will be published to modules when showing destinations. Example:My Weather App")?></span></a></td><td><input size="30"type="text"name="description"value="<?php echo $description;?>"tabindex="<?php echo ++$tabindex;?>"></td></tr><tr><td valign="top"><a href="#"class="info"><?php echo _("Notes")?>:<span><?php echo _("More detailed notes about this destination to help document it. This field is not used elsewhere.")?></span></a></td><td><textarea name="notes"cols="23"rows="6"tabindex="<?php echo ++$tabindex;?>"><?php echo $notes;?></textarea></td></tr><tr><td colspan="2"><br><input name="Submit"type="submit"value="<?php echo _("Submit Changes")?>"tabindex="<?php echo ++$tabindex;?>"><?php if ($custom_dest != ''){echo '&nbsp;<input name="delete"type="submit"value="'._("Delete").'">';} ?></td><?phpif ($custom_dest != ''){if (!empty($usage_list)){?><tr><td colspan="2"><a href="#"class="info"><?php echo $usage_list['text']?>:<span><?php echo $usage_list['tooltip']?></span></a></td></tr><?php}}?></tr></table></form>...snip...</script>

Radical –Cross Site Scripting

Details

Affected Software:BezahlCode-Generator

Fixed in Version:1.1

Issue Type:Cross Site Scripting (XSS)

Original Code:Found Here

Description

A couple straightforward XSS bugs. $_REQUEST will create an associative array which contains the contents of $_GET,$_POST,and $_COOKIE which are all user/attacker controllable. These variables are then used to create HTML markup. Security bugs are caused by many different reasons. When auditing code for security issues,if you come across issues like the ones shown below its highly likely that the developer simply doesn’t understand the security risk they created. It might be a good idea to review other change lists associated with this developer as they will likely contain similar code symptoms. This type of issue is also indicative of lack of security awareness. The developer here could use some security education about various security issues along with some tips on preventing these types of security issues in the future.

Developers Solution

<?php  if ($data!='') {?><img src="/generator/?generate=<?php echo urlencode($data)?>"/><?php  }?></div><br/><form action="/generator/"name="wizard"method="post"class="BezahlCodeForm"><label for="singlepayment"><input type="radio"id="singlepayment"name="gen_type"value="singlepayment"<?php if($_REQUEST['gen_type']=="singlepayment"|| empty($_REQUEST['gen_type'])) echo 'checked="checked"'?>/>&Uuml;berweisung</label><br /><label for="singlepaymentspende"><input type="radio"id="singlepaymentspende"name="gen_type"value="singlepaymentspende"<?php if($_REQUEST['gen_type']=="singlepaymentspende") echo 'checked="checked"'?>/>Spendenzahlung</label><br /><label for="singledirectdebit"><input type="radio"id="singledirectdebit"name="gen_type"value="singledirectdebit"<?php if($_REQUEST['gen_type']=="singledirectdebit") echo 'checked="checked"'?>/>Lastschrift</label><br />-Name:<br /><input type="text"tooltipText="Format:DTAUS Text"id="gen_name"onblur="checkInput(this,'dtaus')"name="gen_name"maxlength="27"value="<?= isset($_REQUEST['gen_name'])?$_REQUEST['gen_name']:""?>">+Name:<br /><input type="text"tooltipText="Format:DTAUS Text"id="gen_name"onblur="checkInput(this,'dtaus')"name="gen_name"maxlength="27"value="<?= isset($_REQUEST['gen_name'])?htmlspecialchars($_REQUEST['gen_name']):""?>"><br />-Kontonummer:<br /><input type="text"tooltipText="Format:Ganzzahl z.B. 1234"id="gen_account"onblur="checkInput(this,'ganzzahl')"name="gen_account"value="<?= isset($_REQUEST['gen_account'])?$_REQUEST['gen_account']:""?>">+Kontonummer:<br /><input type="text"tooltipText="Format:Ganzzahl z.B. 1234"id="gen_account"onblur="checkInput(this,'ganzzahl')"name="gen_account"value="<?= isset($_REQUEST['gen_account'])?htmlspecialchars($_REQUEST['gen_account']):""?>"><br />-BLZ:<br /><input type="text"tooltipText="Format:Ganzzahl z.B. 1234"id="gen_BNC"onblur="checkInput(this,'ganzzahl')"name="gen_BNC"value="<?= isset($_REQUEST['gen_BNC'])?$_REQUEST['gen_BNC']:""?>">+BLZ:<br /><input type="text"tooltipText="Format:Ganzzahl z.B. 1234"id="gen_BNC"onblur="checkInput(this,'ganzzahl')"name="gen_BNC"value="<?= isset($_REQUEST['gen_BNC'])?htmlspecialchars($_REQUEST['gen_BNC']):""?>"><br />-Betrag in Euro (z.B. 1234,50) <br /><input type="text"tooltipText="Format:Dezimalzahl z.B. 1234,50"onblur="checkInput(this,'dezimalzahl')"id="gen_amount"name="gen_amount"value="<?= isset($_REQUEST['gen_amount'])?$_REQUEST['gen_amount']:""?>">+Betrag in Euro (z.B. 1234,50) <br /><input type="text"tooltipText="Format:Dezimalzahl z.B. 1234,50"onblur="checkInput(this,'dezimalzahl')"id="gen_amount"name="gen_amount"value="<?= isset($_REQUEST['gen_amount'])?htmlspecialchars($_REQUEST['gen_amount']):""?>"><br />-Verwendungszweck:<br /><input type="text"id="gen_reason"tooltipText="Format:DTAUS Text"onblur="checkInput(this,'dtaus')"name="gen_reason"maxlength="54"value="<?= isset($_REQUEST['gen_reason'])?$_REQUEST['gen_reason']:""?>">+Verwendungszweck:<br /><input type="text"id="gen_reason"tooltipText="Format:DTAUS Text"onblur="checkInput(this,'dtaus')"name="gen_reason"maxlength="54"value="<?= isset($_REQUEST['gen_reason'])?htmlspecialchars($_REQUEST['gen_reason']):""?>"><br/><input type="button"value="Erstellen"onclick='javascript:generateImage();'></form><?php if(!(get_option("bezahlcode_showlink") == "hidden")){?><br /><span class="bezahlCodeLink">Weitere Informationen:<a href="http://www.bezahlcode.de"title="BezahlCode - Schnell,einfach und sicher bezahlen"target="_blank">www.bezahlcode.de</a></span><?php } ?></div><script type="text/javascript">var tooltipObj = new DHTMLgoodies_formTooltip();tooltipObj.initFormFieldTooltip();</script>

Light –Cross Site Scripting

Details

Affected Software:FreeNAS

Fixed in Version:0.69.3

Issue Type:Cross Site Scripting (XSS)

Original Code:Found Here

Description

The code sample for this week contained a couple XSS vulnerabilities. Although not essential for exploitation,its also interesting to note that this response is within an SVG image. You can see this by examining the header() api specifying the content-type:header(“Content-type:image/svg+xml”);

The first issue is pretty easy to follow,so we’ll begin there. On line 11,$ifname is assigned a tainted value from $_GET["ifname"]. After the variable assignment,the authors use the tainted variable to build HTML markup on line 66.

The second issue requires a little bit of tracing. First,the $ifnum variable is assigned a tainted value from $_GET["ifnum"] on line 10. $ifnum is then used to build the $fetch_link variable on line 18. If $fetch_link is ever used to build HTML markup,it will result in XSS.

The third issue also requires a bit of tracing as well. Once again,we start with the assignment of a tainted variable to $ifnum on line 10. $ifnum is then used to build an error message on line 37 ($error_text). $error_text is then used to build HTML markup on line 72 resulting in XSS.

The developers addressed this issue by using htmlspecialchars() during the inital variable assignments. This takes care of all three of the XSS issues described above.

Developers Solution

<?php... snip ...require("guiconfig.inc");header("Content-type:image/svg+xml");+$ifnum=@htmlspecialchars($_GET["ifnum"]);// BSD / SNMP interface name / number+$ifname=@htmlspecialchars($_GET["ifname"]) ? htmlspecialchars($_GET["ifname"]):"Interface $ifnum";//Interface name that will be showed on top right of graph-$ifnum=@$_GET["ifnum"];// BSD / SNMP interface name / number-$ifname=@$_GET["ifname"]?$_GET["ifname"]:"Interface $ifnum";//Interface name that will be showed on top right of graph$scale_type="follow";//Autoscale default setup:"up"= only increase scale;"follow"= increase and decrease scale according to current graphed datas$nb_plot=120;  //NB plot in graph$time_interval=1;//Refresh time Interval$unit="bits";  //Initial unit type:"bits"or "bytes"$fetch_link = "stats.php?if=$ifnum";//SVG attributes$attribs['bg']='fill="#EEEEEE"stroke="none"stroke-width="0"opacity="1"';$attribs['axis']='fill="black"stroke="black"';$attribs['in']='fill="#00CC00"font-family="Tahoma,Verdana,Arial,Helvetica,sans-serif"font-size="7"';$attribs['out']='fill="#FF0000"font-family="Tahoma,Verdana,Arial,Helvetica,sans-serif"font-size="7"';$attribs['graph_in']='fill="none"stroke="#00CC00"stroke-opacity="0.8"';$attribs['graph_out']='fill="none"stroke="#FF0000"stroke-opacity="0.8"';$attribs['legend']='fill="black"font-family="Tahoma,Verdana,Arial,Helvetica,sans-serif"font-size="4"';$attribs['graphname']='fill="#435370"font-family="Tahoma,Verdana,Arial,Helvetica,sans-serif"font-size="8"';$attribs['grid_txt']='fill="gray"font-family="Tahoma,Verdana,Arial,Helvetica,sans-serif"font-size="6"';$attribs['grid']='stroke="gray"stroke-opacity="0.5"';$attribs['switch_unit']='fill="#435370"font-family="Tahoma,Verdana,Arial,Helvetica,sans-serif"font-size="4"text-decoration="underline"';$attribs['switch_scale']='fill="#435370"font-family="Tahoma,Verdana,Arial,Helvetica,sans-serif"font-size="4"text-decoration="underline"';$attribs['error']='fill="red"font-family="Arial"font-size="4"';$attribs['collect_initial']='fill="gray"font-family="Tahoma,Verdana,Arial,Helvetica,sans-serif"font-size="4"';//Error text if we cannot fetch data:depends on which method is used$error_text = gettext("Cannot get data about interface") . "$ifnum";$height=100; //SVG internal height:do not modify$width=200;  //SVG internal width:do not modify$encoding = system_get_language_codeset();header("Last-Modified:". gmdate( "D,j M Y H:i:s") . "GMT");header("Expires:". gmdate( "D,j M Y H:i:s",time() ) . "GMT");header("Cache-Control:no-store,no-cache,must-revalidate");// HTTP/1.1header("Cache-Control:post-check=0,pre-check=0",FALSE);header("Pragma:no-cache");// HTTP/1.0header("Content-type:image/svg+xml");echo "<?xml version=\"1.0\"encoding=\"{$encoding}\"?>\n";?><svg width="100%"height="100%"viewBox="0 0 <?=$width?><?=$height?>"preserveAspectRatio="none"xml:space="preserve"xmlns="http://www.w3.org/2000/svg"xmlns:xlink="http://www.w3.org/1999/xlink"onload="init(evt)"><g id="graph"> <rect id="bg"x1="0"y1="0"width="100%"height="100%"<?=$attribs['bg']?>/> <line id="axis_x"x1="0"y1="0"x2="0"y2="100%"<?=$attribs['axis']?>/> <line id="axis_y"x1="0"y1="100%"x2="100%"y2="100%"<?=$attribs['axis']?>/> <path id="graph_out"d="M0 <?=$height?>L 0 <?=$height?>"<?=$attribs['graph_out']?>/> <path id="graph_in"d="M0 <?=$height?>L 0 <?=$height?>"<?=$attribs['graph_in']?>/> <path id="grid"d="M0 <?=$height/4*1?>L <?=$width?><?=$height/4*1?>M0 <?=$height/4*2?>L <?=$width?><?=$height/4*2?>M0 <?=$height/4*3?>L <?=$width?><?=$height/4*3?>"<?=$attribs['grid']?>/> <text id="grid_txt1"x="<?=$width?>"y="<?=$height/4*1?>"<?=$attribs['grid_txt']?>text-anchor="end">75%</text> <text id="grid_txt2"x="<?=$width?>"y="<?=$height/4*2?>"<?=$attribs['grid_txt']?>text-anchor="end">50%</text> <text id="grid_txt3"x="<?=$width?>"y="<?=$height/4*3?>"<?=$attribs['grid_txt']?>text-anchor="end">25%</text> <text id="graph_in_lbl"x="5"y="8"<?=$attribs['in']?>><?=gettext("In");?><tspan id="graph_in_txt"<?=$attribs['in']?>></tspan></text> <text id="graph_out_lbl"x="5"y="16"<?=$attribs['out']?>><?=gettext("Out");?><tspan id="graph_out_txt"<?=$attribs['out']?>></tspan></text> <text id="ifname"x="<?=$width?>"y="8"<?=$attribs['graphname']?>text-anchor="end"><?=$ifname?></text> <text id="switch_unit"x="<?=$width*0.55?>"y="5"<?=$attribs['switch_unit']?>><?=sprintf(gettext("Switch to %s/s"),("bits"=== $unit) ? "bytes":"bits");?></text> <text id="switch_scale"x="<?=$width*0.55?>"y="11"<?=$attribs['switch_scale']?>><?=gettext("AutoScale");?>(<?=("up"=== $scale_type) ? gettext("Up"):gettext("Follow");?>)</text> <text id="datetime"x="<?=$width*0.55?>"y="17"<?=$attribs['legend']?>></text> <text id="graphlast"x="<?=$width*0.55?>"y="23"<?=$attribs['legend']?>><?=gettext("Graph shows last");?><?=$time_interval*$nb_plot?><?=gettext("seconds");?></text> <polygon id="axis_arrow_x"<?=$attribs['axis']?>points="<?=($width) . ",". ($height)?><?=($width-2) . ",". ($height-2)?><?=($width-2) . ",". $height?>"/> <text id="error"x="<?=$width*0.5?>"y="<?=$height*0.4?>"visibility="hidden"<?=$attribs['error']?>text-anchor="middle"><?=$error_text?></text> <text id="collect_initial"x="<?=$width*0.5?>"y="<?=$height*0.4?>"visibility="hidden"<?=$attribs['collect_initial']?>text-anchor="middle"><?=gettext("Collecting initial data,please wait...");?></text></g><script type="text/ecmascript"> <![CDATA[if (typeof getURL == 'undefined'){getURL = function(url,callback){ if (!url) throw 'No URL for getURL'; try{if (typeof callback.operationComplete == 'function')  callback = callback.operationComplete; } catch (e){}  if (typeof callback != 'function') throw 'No callback function for getURL'; var http_request = null; if (typeof XMLHttpRequest != 'undefined'){http_request = new XMLHttpRequest(); }  else if (typeof ActiveXObject != 'undefined'){try{ http_request = new ActiveXObject('Msxml2.XMLHTTP');} catch (e){ try{  http_request = new ActiveXObject('Microsoft.XMLHTTP'); } catch (e){} }  }  if (!http_request) throw 'Both getURL and XMLHttpRequest are undefined'; http_request.onreadystatechange = function(){if (http_request.readyState == 4){ callback({success:true,content:http_request.responseText,contentType:http_request.getResponseHeader("Content-Type") } );}  }  http_request.open('GET',url,true); http_request.send(null);}}

Banks –Cross Site Scripting

Details

Affected Software:PunBB

Fixed in Version:1.3

Issue Type:Cross Site Scripting (XSS)

Original Code:Found Here

Description

Passwords,passwords,passwords. For some reason,developers sometimes assume passwords values are safe and do not need encoding. In this example,the developers chose to encode username values (line 87) however,they assumed password values would be safe. The incorrect assumption lead to an XSS vulnerability. In line 94 we see that the developers chose to echo a user supplied password value in the HTML markup without encoding. HTML rendered by the browser doesn’t distinguish between parameters that are supposed to be passwords or other random values,resulting in XSS. The developers wisely chose to HTML encode the password value before using the value in HTML markup. When writing password values to the database,passwords should be hashed before inserted into a database. Hashing passwords before writing them into a database prevents most injection attacks (if the hashing algorithm consists of only alphanumeric characters) and also helps prevent disclosure if the database is compromised. Password values should also not be displayed in cleartext in HTML…

Developers Solution

...snip...<?php($hook = get_hook('li_forgot_pass_end')) ? eval($hook):null;$tpl_temp = forum_trim(ob_get_contents());$tpl_main = str_replace('<!-- forum_main -->',$tpl_temp,$tpl_main);ob_end_clean();// END SUBST - <!-- forum_main -->require FORUM_ROOT.'footer.php'}if (!$forum_user['is_guest'])header('Location:'.forum_link($forum_url['index']));// Setup form$forum_page['group_count'] = $forum_page['item_count'] = $forum_page['fld_count'] = 0;$forum_page['form_action'] = forum_link($forum_url['login']);$forum_page['hidden_fields'] = array('form_sent'=>'<input type="hidden"name="form_sent"value="1"/>','redirect_url'=>'<input type="hidden"name="redirect_url"value="'.forum_htmlencode($forum_user['prev_url']).'"/>','csrf_token'=>'<input type="hidden"name="csrf_token"value="'.generate_form_token($forum_page['form_action']).'"/>');// Setup breadcrumbs$forum_page['crumbs'] = array(array($forum_config['o_board_title'],forum_link($forum_url['index'])),array(sprintf($lang_login['Login info'],$forum_config['o_board_title']),forum_link($forum_url['login'])));($hook = get_hook('li_login_pre_header_load')) ? eval($hook):null;define('FORUM_PAGE','login');require FORUM_ROOT.'header.php';// START SUBST - <!-- forum_main -->ob_start();($hook = get_hook('li_login_output_start')) ? eval($hook):null;?><div class="main-head"><h2 class="hn"><span><?php echo sprintf($lang_login['Login info'],$forum_config['o_board_title']) ?></span></h2></div><div class="main-content main-frm"><div class="content-head"><p class="hn"><?php printf($lang_login['Login options'],'<a href="'.forum_link($forum_url['register']).'">'.$lang_login['register'].'</a>','<a href="'.forum_link($forum_url['request_password']).'">'.$lang_login['Obtain pass'].'</a>') ?></p></div><?php// If there were any errors,show themif (!empty($errors)){$forum_page['errors'] = array();foreach ($errors as $cur_error)$forum_page['errors'][] = '<li class="warn"><span>'.$cur_error.'</span></li>';($hook = get_hook('li_pre_login_errors')) ? eval($hook):null;?><div class="ct-box error-box"><h2 class="warn hn"><?php echo $lang_login['Login errors'] ?></h2><ul class="error-list"><?php echo implode("\n\t\t\t\t",$forum_page['errors'])."\n"?></ul></div><?php}?><div id="req-msg"class="req-warn ct-box error-box"><p class="important"><?php printf($lang_common['Required warn'],'<em>'.$lang_common['Required'].'</em>') ?></p></div><form id="afocus"class="frm-form"method="post"accept-charset="utf-8"action="<?php echo $forum_page['form_action'] ?>"><div class="hidden"><?php echo implode("\n\t\t\t\t",$forum_page['hidden_fields'])."\n"?></div><?php ($hook = get_hook('li_login_pre_login_group')) ? eval($hook):null;?><div class="frm-group group<?php echo ++$forum_page['group_count'] ?>"><?php ($hook = get_hook('li_login_pre_username')) ? eval($hook):null;?><div class="sf-set set<?php echo ++$forum_page['item_count'] ?>"><div class="sf-box text required"><label for="fld<?php echo ++$forum_page['fld_count'] ?>"><span><?php echo $lang_login['Username'] ?><em><?php echo $lang_common['Required'] ?></em></span></label><br /><span class="fld-input"><input type="text"id="fld<?php echo $forum_page['fld_count'] ?>"name="req_username"value="<?php echo isset($_POST['req_username']) ? forum_htmlencode($_POST['req_username']):'' ?>"size="35"maxlength="25"/></span></div></div><?php ($hook = get_hook('li_login_pre_pass')) ? eval($hook):null;?><div class="sf-set set<?php echo ++$forum_page['item_count'] ?>"><div class="sf-box text required"><label for="fld<?php echo ++$forum_page['fld_count'] ?>"><span><?php echo $lang_login['Password'] ?><em><?php echo $lang_common['Required'] ?></em></span></label><br />-<span class="fld-input"><input type="password"id="fld<?php echo $forum_page['fld_count'] ?>"name="req_password"value="<?php echo isset($_POST['req_password']) ? ($_POST['req_password']):'' ?>"size="35"/></span>+<span class="fld-input"><input type="password"id="fld<?php echo $forum_page['fld_count'] ?>"name="req_password"value="<?php echo isset($_POST['req_password']) ? forum_htmlencode($_POST['req_password']):'' ?>"size="35"/></span></div></div><?php ($hook = get_hook('li_login_pre_remember_me_checkbox')) ? eval($hook):null;?><div class="sf-set set<?php echo ++$forum_page['item_count'] ?>"><div class="sf-box checkbox"><span class="fld-input"><input type="checkbox"id="fld<?php echo ++$forum_page['fld_count'] ?>"name="save_pass"value="1"/></span><label for="fld<?php echo $forum_page['fld_count'] ?>"><span><?php echo $lang_login['Remember me'] ?></span><?php echo $lang_login['Persistent login'] ?></label></div></div><?php ($hook = get_hook('li_login_pre_group_end')) ? eval($hook):null;?></div><?php ($hook = get_hook('li_login_group_end')) ? eval($hook):null;?><div class="frm-buttons"><span class="submit"><input type="submit"name="login"value="<?php echo $lang_login['Login'] ?>"/></span></div></form></div><?php($hook = get_hook('li_end')) ? eval($hook):null;$tpl_temp = forum_trim(ob_get_contents());$tpl_main = str_replace('<!-- forum_main -->',$tpl_temp,$tpl_main);ob_end_clean();// END SUBST - <!-- forum_main -->require FORUM_ROOT.'footer.php';

Price –Cross Site Scripting

Details

Affected Software:PunBB

Fixed in Version:2.1

Issue Type:Cross Site Scripting (XSS)

Original Code:Found Here

Description

This week’s vulnerability was a XSS bug in PunBB. PunBB was taking an un-trusted value directly from the POST parameter ($_POST[‘prune_sticky’]) and echoing the un-trusted value directly into a value attribute for a hidden form input field. You can see the XSS bug in line 98. This echoing of un-trusted input results in XSS.

The PunBB developers did something I really like here. Instead of fixing the single instance of XSS and moving on,the PunBB developers went a step further and hardened the use of $_POST[‘prune_sticky’]. Instead of allowing users/attacker to provide arbitrary values for $_POST[’prune_sticky’] they restricted the acceptable values to 1 or 0. You can see this fix in line 11. This is a perfect example of root cause analysis in action. The PunBB developers took a few minutes to understand how the application uses $_POST[‘ prune_sticky’] and adjusted the application behavior to protect against other attacks while being transparent to the user. This patch submitted by the PunBB developers goes a long way in protecting their customers and is a great example of being smart about security fixes.

Developers Solution

<?php... <snip>...if (isset($_GET['action']) || isset($_POST['prune']) || isset($_POST['prune_comply'])){if (isset($_POST['prune_comply'])){confirm_referrer('admin_prune.php');$prune_from = $_POST['prune_from'];+$prune_sticky = isset($_POST['prune_sticky']) ? '1':'0';$prune_days = intval($_POST['prune_days']);$prune_date = ($prune_days) ? time() - ($prune_days*86400):-1;@set_time_limit(0);if ($prune_from == 'all'){$result = $db->query('SELECT id FROM '.$db->prefix.'forums') or error('Unable to fetch forum list',__FILE__,__LINE__,$db->error());$num_forums = $db->num_rows($result);for ($i = 0;$i <$num_forums;++$i){$fid = $db->result($result,$i);-prune($fid,$_POST['prune_sticky'],$prune_date);+prune($fid,$prune_sticky,$prune_date);update_forum($fid)}}else{$prune_from = intval($prune_from);-prune($prune_from,$_POST['prune_sticky'],$prune_date);+prune($fid,$prune_sticky,$prune_date);update_forum($prune_from)}// Locate any "orphaned redirect topics"and delete them$result = $db->query('SELECT t1.id FROM '.$db->prefix.'topics AS t1 LEFT JOIN '.$db->prefix.'topics AS t2 ON t1.moved_to=t2.id WHERE t2.id IS NULL AND t1.moved_to IS NOT NULL') or error('Unable to fetch redirect topics',__FILE__,__LINE__,$db->error());$num_orphans = $db->num_rows($result);if ($num_orphans){for ($i = 0;$i <$num_orphans;++$i)$orphans[] = $db->result($result,$i);$db->query('DELETE FROM '.$db->prefix.'topics WHERE id IN('.implode(',',$orphans).')') or error('Unable to delete redirect topics',__FILE__,__LINE__,$db->error())}redirect('admin_prune.php','Posts pruned. Redirecting &hellip;')}$prune_days = $_POST['req_prune_days'];if (!@preg_match('#^\d+$#',$prune_days))message('Days to prune must be a positive integer.');$prune_date = time() - ($prune_days*86400);$prune_from = $_POST['prune_from'];// Concatenate together the query for counting number or topics to prune$sql = 'SELECT COUNT(id) FROM '.$db->prefix.'topics WHERE last_post<'.$prune_date.' AND moved_to IS NULL';-if ($_POST['prune_sticky'] == '0')+if (!$prune_sticky)$sql .= ' AND sticky=\'0\'';if ($prune_from != 'all'){$prune_from = intval($prune_from);$sql .= ' AND forum_id='.$prune_from;// Fetch the forum name (just for cosmetic reasons)$result = $db->query('SELECT forum_name FROM '.$db->prefix.'forums WHERE id='.$prune_from) or error('Unable to fetch forum name',__FILE__,__LINE__,$db->error());$forum = '"'.pun_htmlspecialchars($db->result($result)).'"'}else$forum = 'all forums';$result = $db->query($sql) or error('Unable to fetch topic prune count',__FILE__,__LINE__,$db->error());$num_topics = $db->result($result);if (!$num_topics)message('There are no topics that are '.$prune_days.' days old. Please decrease the value of "Days old"and try again.');$page_title = pun_htmlspecialchars($pun_config['o_board_title']).' / Admin / Prune';require PUN_ROOT.'header.php';generate_admin_menu('prune');?><div class="blockform"><h2><span>Prune</span></h2><div class="box"><form method="post"action="admin_prune.php?action=foo"><div class="inform"><input type="hidden"name="prune_days"value="<?php echo $prune_days ?>"/>-<input type="hidden"name="prune_sticky"value="<?php echo $_POST['prune_sticky'] ?>"/>+<input type="hidden"name="prune_sticky"value="<?php echo $prune_sticky ?>"/><input type="hidden"name="prune_from"value="<?php echo $prune_from ?>"/><fieldset><legend>Confirm prune posts</legend><div class="infldset"><p>Are you sure that you want to prune all topics older than <?php echo $prune_days ?>days from <?php echo $forum ?>? (<?php echo $num_topics ?>topics)</p><p>WARNING! Pruning posts deletes them permanently.</p></div></fieldset></div><p><input type="submit"name="prune_comply"value="Prune"/><a href="javascript:history.go(-1)">Go back</a></p></form></div></div><div class="clearer"></div></div>... <snip>...

Last –Cross Site Scripting

Details

Affected Software:AskApache Password Protector

Fixed in Version:4.0.1

Issue Type:Cross Site Scripting (XSS)

Original Code:Found Here

Description

Upon first glance,we see that the vulnerable code sample comes from an error page of some sort. Error pages are often overlooked when it comes to security (or even general QA). Make sure you put your error pages through the same rigorous security process as you would any other page. The Same Origin Policy won’t distinguish between a forgotten error page and the highly trafficked portal page of your web application. A vulnerability on an error page can have the same devastating effect as a vulnerability on the main portal page. Looking at this bug,we see that the error page is a bit too helpful and echoes back all the information contained in the $_SERVER superglobal. Unfortunately,this superglobal contains all sorts of user/attacker controlled information,resulting in XSS. In this fix,the developers wisely removed the vulnerable line entirely.

Developers Solution

<?phpob_start();//http://www.askapache.com/htaccess/apache-status-code-headers-errordocument.html... <SNIP>...if (isset($_SERVER['REDIRECT_STATUS'])) $err_code = $_SERVER['REDIRECT_STATUS'];$err_req_meth = $_SERVER['REQUEST_METHOD'];$err_req = htmlentities(strip_tags($_SERVER['REQUEST_URI']));$err_phrase = $err_status_codes[$err_code][0];$err_body = str_replace( array('INTERROR','THEREQUESTURI','THEREQMETH'),array('The server encountered an internal error or misconfiguration and was unable to complete your request.',$err_req,$err_req_meth),$err_status_codes[$err_code][1]);@header("HTTP/1.1 $err_code $err_phrase",1);@header("Status:$err_code $err_phrase",1);//400 || 408 || 413 || 414 || 500 || 503 || 501//@header("Connection:close",1);if ( $err_code=='400'||$err_code=='403'||$err_code=='405'||$err_code[0]=='5'){@header("Connection:close",1);if ($err_code == '405') @header('Allow:GET,HEAD,POST,OPTIONS,TRACE');echo "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html>\n<head>\n<title>{$err_code}{$err_phrase}</title>\n<h1>{$err_phrase}</h1>\n<p>{$err_body}<br>\n</p>\n</body></html>"} else echo '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xml:lang="en"lang="en"><head><title>'.$err_code.' '.$err_phrase.'</title><meta http-equiv="content-type"content="text/html;charset=UTF-8"/></head><body><h1>'.$err_code.' '.$err_phrase.'</h1><hr /><p>'.$err_body.'<br /></p><pre>-'.print_r($_SERVER,1).'</pre></body></html>';?>

Anyway –Cross Site Scripting

Details

Affected Software:The Hackers Diet

Fixed in Version:9.7b

Issue Type:Cross Site Scripting (XSS)

Original Code:Found Here

Description

First,some logistics… the code we’re looking at belongs to the “Weight_save.php” file which is part of the “Hackers Diet” WordPress plugin. This plugin was created to “Help you track and predict weight loss using your WordPress blog”. A single change was made to the Weight_save.php for this changelist. The single change simply removes an obvious XSS bug in which POST parameters are printed to HTML markup. This line was likely being used for debugging purposes and was forgotten during release to production. A more robust testing and release process would have caught this.

Although the developers prevented an XSS vulnerability,they completely overlooked several other issues. IndigoMann (via blog comments) noticed XSS and SQL Injection in this code… The one issue that jumps out at me is this line:

$user_id = $_POST["user"];

I always become very suspicious when an application passes user_id’s back and forth. Ideally,this data should be stored via session state,otherwise an attacker could pass an arbitrary value and access (and possibly update) another user’s data. Looking at the code,it appears this may be the case with the Hacker Diet plugin.

Developers Solution

<?// get our db settings without loading all of wordpress every save$html = implode('',file("../../../wp-config.php"));$html = str_replace ("require_once","// ",$html);$html = str_replace ("<?php","",$html);$html = str_replace ("?>","",$html);eval($html);if (isset($_POST["id"]) &&isset($_POST["user"]) &&is_numeric($_POST["user"]) &&isset($_POST["content"]) &&is_numeric($_POST["content"])){$date = substr($_POST["id"],7);$user_id = $_POST["user"];$weight = round($_POST["content"],1)} else{-print_r($_POST);+//print_r($_POST);echo "Please enter a valid number for your weight.";exit}mysql_connect(DB_HOST,DB_USER,DB_PASSWORD);mysql_select_db(DB_NAME);$query = "update ".$table_prefix."hackdiet_weightlog set weight = $weight where wp_id = $user_id and date = \"".date("Y-m-d",$date)."\"";mysql_query($query);if (mysql_affected_rows() != 1){// record doesn't exist yet,lets create it$query = "insert into ".$table_prefix."hackdiet_weightlog set date = \"".date("Y-m-d",$date)."\",weight = $weight,wp_id = $user_id";mysql_query($query);if (mysql_affected_rows() != 1){echo "Save failed. - ". mysql_error();exit()} else{echo htmlspecialchars($weight)}} else{echo htmlspecialchars($weight)}$query = "select trend from ".$table_prefix."hackdiet_weightlog where wp_id = $user_id and date <\"".date("Y-m-d",$date)."\"order by date desc limit 1";$result = mysql_query($query);if (mysql_num_rows($result) == 1){$trend = mysql_result($result,0);$use_first_weight_as_trend = false} else{// no trends exist below this entry,we must be first. so in next query,we need to grab today's weight to be trend 1$use_first_weight_as_trend = true}$query = "select date,weight,trend from ".$table_prefix."hackdiet_weightlog where wp_id = $user_id and date >= \"".date("Y-m-d",$date)."\"order by date asc";$result = mysql_query($query);while ($entry = mysql_fetch_assoc($result)){if ($use_first_weight_as_trend){$trend = $entry["weight"];$use_first_weight_as_trend = false} else{// exponentially smoothed moving average with 10% smoothing$trend = $trend + 0.1 * ($entry["weight"] - $trend)}$entry["trend"] = $trend;$weights[] = $entry}foreach ($weights as $entry){$query = "update ".$table_prefix."hackdiet_weightlog set trend = ".round($entry["trend"],1)."where wp_id = $user_id and date = \"".$entry["date"]."\"";mysql_query($query)}// 0 will always be the edited date,since the list contains the edited entry + all the ones after it,sorted asc.$dif = round($weights[0]["weight"] - $weights[0]["trend"],1);echo "<span class=\"trend_dif ".(($dif <0)?"good_trend":"bad_trend")."\">$dif</span>";?>

Haircut –Cross Site Scripting

Details

Affected Software:WP-Slimbox 2

Fixed in Version:1.0.1

Issue Type:Cross Site Scripting (XSS)

Original Code:Found Here

Description

A bit of a head fake here. There are a lot of variable assignments in this code. Lots of variable assignments results in a lot of tracing during security code audits. As a variable is set with an untrusted value,it becomes tainted. Following that variable until you find exactly where its being used is crucial in understanding whether a security bug exists or not. Any one of those variable assignments could easily result in a major security vulnerability. In this week’s example,the vulnerable line came before the massive set of variable assignments. Once again,we see PHP_SELF being used to create a URL. Instead of trying to encode the value before using it in markup,the developer chose to remove the reference to PHP_SELF.

Developers Solution

<?php$easingArray = array(swing,easeInQuad,easeOutQuad,easeInOutQuad,easeInCubic,easeOutCubic,easeInOutCubic,easeInQuart,easeOutQuart,easeInOutQuart,easeInQuint,easeOutQuint,easeInOutQuint,easeInSine,easeOutSine,easeInOutSine,easeInExpo,easeOutExpo,easeInOutExpo,easeInCirc,easeOutCirc,easeInOutCirc,easeInElastic,easeOutElastic,easeInOutElastic,easeInBack,easeOutBack,easeInOutBack,easeInBounce,easeOutBounce,easeInOutBounce);$overlayOpacity = array(0,0.1,0.2,0.3,0.4,0.5,0.6,0.7,0.8,0.9,1);$msArray = array(1,100,200,300,400,500,600,700,800,900,1000);$captions = array('a-title','img-alt','img-title','href','None');?><div class="wrap">-<form method="post"action="<?php echo $_SERVER['PHP_SELF']?>?page=slimbox2options"id="options"><?phpecho wp_nonce_field('update-options','wp_slimbox_wpnonce');?><h2><?php _e('WP Slimbox2 Plugin','wp-slimbox2');?></h2>+ <form method="post"action=""id="options"><?php echo wp_nonce_field('update-options','wp_slimbox_wpnonce');?><h2><?php _e('WP Slimbox2 Plugin','wp-slimbox2');?></h2><?phpif(isset($_POST['action']) &&wp_verify_nonce($_POST['wp_slimbox_wpnonce'],'update-options')){$options->update_option(array('autoload'  =>$_POST['wp_slimbox_autoload'],'loop' =>$_POST['wp_slimbox_loop'],'overlayOpacity'  =>$_POST['wp_slimbox_overlayOpacity'],'overlayColor' =>$_POST['wp_slimbox_overlayColor'],'overlayFadeDuration'  =>$_POST['wp_slimbox_overlayFadeDuration'],'resizeDuration' =>$_POST['wp_slimbox_resizeDuration'],'resizeEasing'  =>$_POST['wp_slimbox_resizeEasing'],'initialWidth' =>$_POST['wp_slimbox_initialWidth'],'initialHeight'  =>$_POST['wp_slimbox_initialHeight'],'imageFadeDuration' =>$_POST['wp_slimbox_imageFadeDuration'],'captionAnimationDuration'  =>$_POST['wp_slimbox_captionAnimationDuration'],'caption' =>array($_POST['wp_slimbox_caption1'],$_POST['wp_slimbox_caption2'],$_POST['wp_slimbox_caption3'],$_POST['wp_slimbox_caption4']),'url' =>$_POST['wp_slimbox_url'],'selector' =>$_POST['wp_slimbox_selector'],'counterText' =>$_POST['wp_slimbox_counterText'],'closeKeys'  =>$_POST['wp_slimbox_closeKeys'],'previousKeys' =>$_POST['wp_slimbox_previousKeys'],'nextKeys'  =>$_POST['wp_slimbox_nextKeys'],'picasaweb' =>$_POST['wp_slimbox_picasaweb'],'flickr'  =>$_POST['wp_slimbox_flickr'],'mobile' =>$_POST['wp_slimbox_mobile'],'maintenance' =>$_POST['wp_slimbox_maintenance'],'cache'  =>$_POST['wp_slimbox_cache']));echo '<div id="message"class="updated fade"><p><strong>'.__('Settings Saved','wp-slimbox2').'.</strong></p></div>'}$caption = $options->get_option('caption');function selectionGen(&$option,&$array){foreach($array as $key=>$ms){$selected = ($option != $ms)? '':' selected';echo "<option value='$ms'$selected>".(($ms=='1'&&$array[0]!='0')?__('Disabled','wp-slimbox2'):$ms)."</option>\n"}}?><div style="clear:both;padding-top:5px;"></div><h2><?php _e('Settings','wp-slimbox2');?></h2><table class="widefat"cellspacing="0"id="inactive-plugins-table"><thead><tr><th scope="col"colspan="2"><?php _e('Setting','wp-slimbox2');?></th><th scope="col"><?php _e('Description','wp-slimbox2');?></th></tr></thead><tfoot><tr><th scope="col"colspan="3"><?php _e('Use the various options above to control some of the advanced settings of the plugin','wp-slimbox2');?></th></tr></tfoot><tbody class="plugins"><tr class='inactive'><td class='name'><?php _e('Autoload?','wp-slimbox2');?></td><th scope='row' class='check-column'><input type="checkbox"name="wp_slimbox_autoload"<?php if ($options->get_option('autoload') == 'on') echo ' checked="yes"';?>/></th><td class='desc'><p><?php _e('This option allows the user to automatically activate Slimbox on all links pointing to ".jpg",".jpeg",".png",".bmp"or ".gif". All image links will automatically be grouped together in a gallery according to the selector chosen below. If this isn\'t activated you will need to manually add <b><code>rel="lightbox"</code></b>for individual images or <b><code>rel="lightbox-imagesetname"</code></b>for groups on all links you wish to use the Slimbox effect. <b>Default is Disabled.</b>','wp-slimbox2');?></p></td></tr><tr class='inactive'><td class='name'><?php _e('Enable Picasaweb Integration?','wp-slimbox2');?></td><th scope='row' class='check-column'><input type="checkbox"name="wp_slimbox_picasaweb"<?php if ($options->get_option('picasaweb') == 'on') echo ' checked="yes"';?>/></th><td class='desc'><p><?php _e('This option allows the user to automatically add the Slimbox effect to Picasaweb links when provided an appropriate url (this is separate from the autoload script which only functions on direct image links). <b>Default is Disabled.</b>','wp-slimbox2');?></p></td></tr><tr class='inactive'><td class='name'><?php _e('Enable Flickr Integration?','wp-slimbox2');?></td><th scope='row' class='check-column'><input type="checkbox"name="wp_slimbox_flickr"<?php if ($options->get_option('flickr') == 'on') echo ' checked="yes"';?>/></th><td class='desc'><p><?php _e('This option allows the user to automatically add the Slimbox effect to Flickr links when provided an appropriate url (this is separate from the autoload script which only functions on direct image links). <b>Default is Disabled.</b>','wp-slimbox2');?></p></td></tr><tr class='inactive'><td class='name'><?php _e('Loop?','wp-slimbox2');?></td><th scope='row' class='check-column'><input type="checkbox"name="wp_slimbox_loop"<?php if ($options->get_option('loop') == 'on') echo ' checked="yes"';?>/></th><td class='desc'><p><?php _e('This option allows the user to navigate between the first and last images of a Slimbox gallery group when there is more than one image to display. <b>Default is Disabled.</b>','wp-slimbox2');?></p></td></tr><tr class='inactive'><td class='name'><?php _e('Overlay Opacity','wp-slimbox2');?></td><th scope='row' class='check-column'><select name="wp_slimbox_overlayOpacity"><?php selectionGen($options->get_option('overlayOpacity'),$overlayOpacity);?></select></th><td class='desc'><p><?php _e('This option allows the user to adjust the opacity of the background overlay. 1 is completely opaque,0 is completely transparent. <b>Default is 0.8.</b>','wp-slimbox2');?></p></td></tr><tr class='inactive'><td class='name'><?php _e('Overlay Color','wp-slimbox2');?></td><th scope='row' class='check-column'><input type="text"id="wp_slimbox_overlayColor"name="wp_slimbox_overlayColor"value="<?php echo $options->get_option('overlayColor');?>"size="7"maxlength="7"/><div id="picker"></div></th><td class='desc'><p><?php _e('This option allows the user to set the color of the overlay by selecting your hue from the circle and color gradient from the square. Alternatively you may manually enter a valid HTML color code. The color of the entry field will change to reflect your selected color. <b>Default is #000000.</b>','wp-slimbox2');?></p></td></tr><tr class='inactive'><td class='name'><?php _e('Overlay Fade Duration','wp-slimbox2');?></td><th scope='row' class='check-column'><select name="wp_slimbox_overlayFadeDuration"><?php selectionGen($options->get_option('overlayFadeDuration'),$msArray);?></select></th><td class='desc'><p><?php _e('This option allows the user to adjust the duration of the overlay fade-in and fade-out animations,in milliseconds. <b>Default is 400.</b>','wp-slimbox2');?></p></td></tr><tr class='inactive'><td class='name'><?php _e('Resize Duration','wp-slimbox2');?></td><th scope='row' class='check-column'><select name="wp_slimbox_resizeDuration"><?php selectionGen($options->get_option('resizeDuration'),$msArray);?></select></th><td class='desc'><p><?php _e('This option allows the user to adjust the duration of the resize animation for width and height,in milliseconds. <b>Default is 400.</b>','wp-slimbox2');?></p></td></tr>

Australia –Cross Site Scripting

Details

Affected Software:FreePBX

Fixed in Version:2.5

Issue Type:Cross Site Scripting (XSS)

Original Code:Found Here

Description

One of the more weird XSS vulnerabilities I’ve seen
Here we see FreePBX using a potion of a log file in their HTML markup. Specifically,the PHP code uses the system() API to execute a command on the PBX system. The results of the system() command are printed to the HTML markup. In this case,FreePBX runs a tail on a log file displaying some of the entries contained within that log file. Looking at the vulnerable code sample,it is impossible to understand exactly what is contained in these log files,however it appears that HTML can exist in the log entries due to the sed command being run on the log file output:

| sed -e “s/$/<br>/”

The developers realized that the log files could contain other dangerous HTML elements and modified their sed command to try and filter those elements out. Maybe a better approach would be to use a proper encoding API? Luckily,it doesn’t seem like the attacker can control anything passed to system(),otherwise this would have been a code execution bug as opposed to just an XSS!

Developers Solution

<?php$display = $_REQUEST['display'];$type = isset($_REQUEST['type']) ? $_REQUEST['type']:'tool';$action = isset($_REQUEST['action']) ? $_REQUEST['action']:'';?></div><div class="content"><?phpswitch($action){case 'showlog':?><h2><?php echo sprintf(_('%s - last 2000 lines'),$amp_conf['ASTLOGDIR']."/full") ?></h2><a href="config.php?<?php echo "display=$display&type=$type&action=showlog"?>"><?php echo _("Redisplay Asterisk Full debug log (last 2000 lines)") ?></a><br><hr><br><?php-echo system ('tail --line=2000 '.$amp_conf['ASTLOGDIR'].'/full | sed -e "s/$/<br>/"');+system ('tail --line=2000 '.$amp_conf['ASTLOGDIR'].'/full | sed -e "s,<,\&lt;,g;s,>,\&gt;,g;s/$/<br>/"');break;default:echo "<h2>"._("Asterisk Log Files")."</h2>";?><a href="config.php?<?php echo "display=$display&type=$type&action=showlog"?>"><?php echo _("Display Asterisk Full debug log (last 2000 lines)") ?></a><br><br><br><br><br><br><br><br><br><br><br><br><br><?php  break}?></div>

Search for Vulnerabilities

Popular Vulnerable Code

Links

Details

Description

Developers Solution

Details

Description

Developers Solution

Details

Description

Developers Solution

Details

Description

Developers Solution

Details

Description

Developers Solution

Details

Description

Developers Solution

Details

Description

Developers Solution

Details

Description

Developers Solution

Details

Description

Developers Solution

Details

Description

Developers Solution

Programming Languages

Popular Vulnerabilities