|Main Archive Page > Month Archives > full-disclosure-uk archives|
CodeScan Labs (www.codescan.com), has recently released a new source code scanning tool, CodeScan. CodeScan is an advanced auditing tool designed to check web application source code for security vulnerabilities. CodeScan utilises an intelligent source code parsing engine, traversing execution paths and tracking the flow of user supplied input.
During the ongoing testing of CodeScan ASP, Xoops was selected as one of the test applications. We downloaded Xoops from the Xoops website http://sourceforge.net/projects/xoops/files/XOOPS Core (stable releases)/XOOPS 2.4.3/.
This advisory is the result of research into the security of Xoops, based on the report generated by the CodeScan tool.
The unlink function is used by a web page to delete a file on the web server. The unlink function was found to be used with user input:
Although the filter functions like str_replace are used:
$oldsmile_path = str_replace("\\", "/", realpath(XOOPS_UPLOAD_PATH.'/'.trim($_POST['old_smile'])));
It is not a strong enough for CodeScan Developer to count it as a filter. It is potentially dangerous for user to have direct input of what to delete, dependent on the access and permission the user holds. It is recommended that user permissions and access are constrained to prevent exploitation.
Codescan Developer has identified that the application header has the $redirect variable involved with a user input with no validators or restrictions, or custom filters function.
$redirect = trim($_GET['xoops_redirect']); and:
header('Location: ' . $redirect);
It is potentially dangerous at this point where a malicious user could inject malicious codes into the header; next time a user accesses the page, can cause it to execute that malicious code.
Discovered and advised to the vendor by CodeScan Labs
CodeScan Labs is a specialist security research and development organisation, that has developed the cornerstone application, CodeScan. CodeScan Labs helps organisations secure their web services through the automated scanning of the web application source code for security vulnerabilities. The CodeScan product is currently available for ASP, ASP.NET and PHP.
CodeScan Labs operates with Responsible Disclosure. As a result, any published advisories will contain information around problems identified by CodeScan, that have been resolved by the vendor.Additional code problems which may be identified by CodeScan or its staff which are not resolved by the vendor will not be made publicly available. -- This message has been scanned for viruses and dangerous content by Bizo EmailFilter, and is believed to be clean. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/