Referer XSS in ExpressionEngine

Summary

Vulnerability
Referer XSS in ExpressionEngine
Discovered
2006.01.24
Last Update
2006.01.26 Solution added
ID
EV0048
CVE
CVE-2006-0461
Risk Level
medium
Type
Cross Site Scripting
Status
Patched
Vendor
n/a
Vulnerable Software
ExpressionEngine (http://www.pmachine.com)
Version
1.4.1
PoC/Exploit
Available
Solution
Available
Discovered by
Aliaksandr Hartsuyeu (eVuln.com)

Description

Cross Site Scripting found in ExpressionEngine (http://www.pmachine.com) script.

Vulnerable script: core.input.php

Variable $_SERVER['HTTP_REFERER'] isn't properly sanitized. This can be used to post HTTP query with fake Referer value which may contain arbitrary html or script code. This code will be executed when administrator(or any user) will open Referrers Statistics.

Administrator's session is threatened.

PoC/Exploit

Example of HTTP Query:


GET /path/index.php HTTP/1.0
Host: host
Referer: http://<XSS>.com/;

Solution.

Here is information provided by vendor:

The $_SERVER['HTTP_REFERER'] variable is actually sanitized before inserted into the database (and thus before outputted). This is done not in the core.input.php file, but in the core.functions.php file where the processing is done. When sanitation is done in ExpressionEngine XSS code is converted into HTML entities making it impotent when displayed but still allowing an administrator to safely view the code. However, before being inserted into the database. ExpressionEngine also runs a referrer spam prevention script on the referrer that, unfortunately, converts the HTML entities back into characters. Thus, the XSS protection was basically removed by the spam prevention script.

Here is the location of the fixed file core.functions.php that users will have to upload to their ExpressionEngine site's system/core/ file:

http://www.pmachine.com/downloads/security_fix_20060122.zip