by r0t,der4444,cembo,VietMafia

Wednesday, December 21, 2005

Scoop XSS vuln.

Scoop XSS vuln.

Vuln. discovered by : r0t
Date: 21 dec. 2005
vendor:http://scoop.kuro5hin.org/
affected version: 1.1 RC1 and prior

Product Description:

Scoop is a "collaborative media application". It falls somewhere between a content management system, a web bulletin board system, and a weblog. Scoop is designed to enable your website to become a community. It empowers your visitors to be the producers of the site, contributing news and discussion, and making sure that the signal remains high.

A scoop site can be run almost entirely by the readers. The whole life-cycle of content is reader-driven. They submit news, they choose what to post, and they can discuss what they post. Readers can rate other readers comments, as well, providing a collaborative filtering tool to let the best contributions float to the top. Based on this rating, you can also reward consistently good contributors with greater power to review potentially untrusted content. The real power of Scoop is that it is almost totally collaborative.

Of course, as an admin, you also may pick and choose which tools you want the community to have, and which will be available to admins only. Administrators have a very wide range of customization and security management tools available. All of the administration of Scoop is done through the normal web interface. Scoop will seamlessly provide more options to site administrators, right in the normal site, so the tools you need are always right where you need them.



Vuln. Description:

Scoop contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "type" and "count" parameters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples:

/?op=search&offset=0&old_count=30&type=[XSS]

/?op=search&offset=0&old_count=30&type=story
&topic=§ion=&string=r0t&count=1[XSS]



/story/2005/11/4/184932/452[XSS]
/story/2005/11/4/184932[XSS]
/story/2005/11/4[XSS]
/story/2005/11[XSS]
/story/2005[XSS]
/story/[XSS]

Solution:
Edit the source code to ensure that input is properly sanitised.

0 Comments:

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew