XSS is autoindex | patch included

F

felosi

Well-Known Member
#1
#1
I sent you an email earlier george but looks like your server was having problems.
Anyway there is an xss in autoindex, Some kiddy group made it, does not much more then give a popup but could probably be used to steal cookies or whatever. I dont know, not to keen on xss. Here is the original advisory
Authors ....... mozako feat shen139
Date .......... 05-07-2005
Product ....... AutoIndex PHP Script
Type .......... Cross Site Scripting (XSS) vulnerability

o Description:
=============================
AutoIndex PHP Script is a simply website directory indexer and file
manager.

o Vulnerability Description:
=============================
287 [...]
288 $search = (isset($_GET['search']) ? $_GET['search'] : '');
289 $search_mode = (isset($_GET['searchMode']) ? $_GET['searchMode']
: '');
290 [...]

At line 289 AutoIndex PHP Script doesn't validate '$_GET' variable
($search).
Consequently, a remote user can create an specially crafted
URL that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server.

o Products:
=============================
- AutoIndex PHP Script v. 1.5.2 (tested)

o Solution:
=============================
Sanitize html source before writing it with a simply htmlspecialchars(...).

o Proof of concept:
=============================
http://www.vuln-site.org/index.php?search=...ir=&searchMode=

Original ADV: http://www.badroot.org/advisories/SA0x07
Click to expand...
Here is it live on a server I havent patched yet
http://nig.felosi.info/_autoindex/default.php/%3E'%3E%3CScRiPt%3Ealert(document.domain)%3C/ScRiPt%3E

After patch
http://pr0be.net/_autoindex/default.php/%3E'%3E%3CScRiPt%3Ealert(document.domain)%3C/ScRiPt%3E

So its still kinda not right but danger is gone.

Me and my friends came up with a patch
http://pr0be.net/files/default.php.txt

I suppose it can still use a lil work but no more xss
 
Last edited:
M

mistwang

LiteSpeed Staff
#2
#2
Actually, the advisory is for another open source autoindex script, we wrote our own.
Anyway, we improve it based on the feed back, and make it impossible to be accessed directly.
 
F

felosi

Well-Known Member
#3
#3
Yeah, I wasnt sure if the advisory was the same as the string. Was what I was sent. But Im glad I could help and if I hear anything else Ill be the first to let you know
 
You must log in or register to reply here.
Top