Referer XSS in ExpressionEngine
Summary
- Vulnerability
- Referer XSS in ExpressionEngine
- Discovered
- 2006.01.24
- Last Update
- 2006.01.26 Solution added
- ID
- EV0048
- CVE
- CVE-2006-0461
- Risk Level
- medium
- Type
- Cross Site Scripting
- Status
- Patched
- Vendor
- n/a
- Vulnerable Software
- ExpressionEngine (http://www.pmachine.com)
- Version
- 1.4.1
- PoC/Exploit
- Available
- Solution
- Available
- Discovered by
- Aliaksandr Hartsuyeu (eVuln.com)
Description
Cross Site Scripting found in ExpressionEngine (http://www.pmachine.com) script.
Vulnerable script: core.input.php
Variable $_SERVER['HTTP_REFERER'] isn't properly sanitized. This can be used to post HTTP query with fake Referer value which may contain arbitrary html or script code. This code will be executed when administrator(or any user) will open Referrers Statistics.
Administrator's session is threatened.
PoC/Exploit
Example of HTTP Query:
GET /path/index.php HTTP/1.0
Host: host
Referer: http://<XSS>.com/;
Solution.
Here is information provided by vendor:
The $_SERVER['HTTP_REFERER'] variable is actually sanitized before inserted into the database (and thus before outputted). This is done not in the core.input.php file, but in the core.functions.php file where the processing is done. When sanitation is done in ExpressionEngine XSS code is converted into HTML entities making it impotent when displayed but still allowing an administrator to safely view the code. However, before being inserted into the database. ExpressionEngine also runs a referrer spam prevention script on the referrer that, unfortunately, converts the HTML entities back into characters. Thus, the XSS protection was basically removed by the spam prevention script.
Here is the location of the fixed file core.functions.php that users will have to upload to their ExpressionEngine site's system/core/ file:
http://www.pmachine.com/downloads/security_fix_20060122.zip