Tuesday, April 23, 2013

IDG Now! vulnerable to reflected XSS


IDG Now! is one of the most popular brazilian IT online mags and a reference in portuguese language. It has millions of visits each day and a large community on social networks.

The site suffered from a reflected DOM XSS present on the JavaScript code for the AnythingSlider.

Vulnerable code:
a.gotoHash = function() {
var c = a.win.location.hash,
(...)

The location.hash wasn't sanitized and it was possible for a user to manipulate the URL injecting a XSS vector.

Proof of concept:
http://idgnow.uol.com.br/#<img src=x onerror=prompt(1);>


Also, the jQuery version was outdated.

The Developing team for IDG Now! reported that they fixed the DOM XSS issue and updated the jQuery framework.

Timeline:
23 Mar 2013: Reported to IDG Now!
26 Mar 2013: Fixed by their developing team.
23 Apr 2013: Full disclosure.

Friday, April 12, 2013

phpMyAdmin XSS


For those who don't know phpMyAdmin, is a free software tool written in PHP, intended to handle the administration of MySQL over the World Wide Web. phpMyAdmin supports a wide range of operations with MySQL. The most frequently used operations are supported by the user interface (managing databases, tables, fields, relations, indexes, users, permissions, etc), while you still have the ability to directly execute any SQL statement.

When using it on a client I found out that, under versions 3.5.3, 3.5.4  and 3.5.5, it was possible to inject a self-XSS.

The vulnerability is under "Query results operations" - "Display Chart" and "Title" field. When writing the title with a XSS vector the code is automatically executed.

Proof of concept:
Chart title"><script>alert("xss by @dsopas")


This bug was fixed (version 3.5.6) but per their policy for self-XSS, they decided against a
security release.
The commit is https://github.com/phpmyadmin/phpmyadmin/commit/d30aaae.

Timeline:
10 Jan 2013: Reported to phpMyAdmin security team
10 Jan 2013: They replied and told me that they're investigating
15 Mar 2013: I asked for update - reported that it is already been fixed since January
12 Apr 2013: Full disclosure