UserAgent XSS Vulnerability in raSMP

Summary

Vulnerability
UserAgent XSS Vulnerability in raSMP
Discovered
2006.01.04
Last Update
0 n/a
ID
EV0013
CVE
CVE-2006-0084
Risk Level
medium
Type
Cross Site Scripting
Status
Unpatched
Vendor
n/a
Vulnerable Software
raSMP 2.0.0 (http://www.rasmp.com/)
Version
2.0.0
PoC/Exploit
Available
Solution
Available
Discovered by
Aliaksandr Hartsuyeu (eVuln.com)

Description

Cross Site Scripting found in raSMP 2.0.0 (http://www.rasmp.com/) script.

Vulnerable scripts:

  • common.php
  • common/functions.php
  • admin/stats.php

Variable $_SERVER['HTTP_USER_AGENT'] isn't properly sanitized. This can be used to post HTTP query with fake User-Agent value which may contain arbitrary html or script code. This code will be executed when administrator will open Site Statistics.

Administrator's authentication is threatened.

PoC/Exploit

HTTP query:

GET /path/index.php HTTP/1.0
Host: rasmphost
User-Agent: <XSS>

Solution.

No patch availabve.

Edit source code. Variable $_SERVER['HTTP_USER_AGENT'] needs additional sanitation.