email XSS in SimpLISTic

Summary

Vulnerability
email XSS in SimpLISTic
Discovered
2010.11.13
Last Update
n/a n/a
ID
EV0145
CVE
n/a
Risk Level
low
Type
Cross Site Scripting
Status
Unpatched. Vendor notified. No reply from developer(s)
Vendor
Mrcgiguy (http://www.mrcgiguy.com/)
Vulnerable Software
SimpLISTic
Version
2.0
PoC/Exploit
Available
Solution
Available
Discovered by
Aliaksandr Hartsuyeu (eVuln.com)

Description

Cross Site Scripting found in SimpLISTic script.

email XSS
XSS vulnerability found in email.cgi script. email parameter is not properly sanitized. email parameter pass through similar filter but not XSS filter. Any user may add email containing special code. "List addresses" page in Admin panel is vulnerable.

PoC/Exploit

Example of XSS
email XSS PoC code for SimpLISTic is available.
XSS
Email: email@website.com</textarea><script>alert('XSS vulnerability')</script>

Solution.

email paramether pass through simple filter:
if (($FORM{email} =~ m/@/) && ($FORM{email} =~ m/\./)) {$atcheck = 1}

This is not enough to sanitize XSS code. Recommended fix is:
$FORM{email} =~ s/\&/\&amp\;/g;
$FORM{email} =~ s/\</\&lt\;/g;
$FORM{email} =~ s/\>/\&gt\;/g;
$FORM{email} =~ s/\"/\&quot\;/g;
$FORM{email} =~ s/\'/\&#x27\;/g;
$FORM{email} =~ s/\//\&#x2F\;/g;

Apply this filter before including $FORM{email} into HTML code.

Check for updates from MrCgiGuy website: http://www.mrcgiguy.com/