Some months ago, working in a site with Aardvark Topsites PHP application, I found a couple of information disclosure vulnerabilities and an HTML injection(Cross-site scripting) vulnerability.
.
Now I have some time and after some emails with the application developer I decided to report it and publish here.
.
There are easy to fix bugs and I hope that helps to improve this application security.
.
All of them are caused by lack of input verification and sanitization.
.
Affected versions: 5.2.1 and older
Publishing disclosure date: April 2009
.
Exploit details:
.
.
HTML Injection / XSS
(up to version 5.2.0)
For example, is possible to inject a link to any URL with any anchor text.
POC: /index.php?a=search&q=psstt+security”><a+href%3Dhttp%3A%2F%2Fwebsec.id3as.com>Web-Application-Security
.
Information Disclosure 1
(up to version 5.2.1)
Disclosure of full path of the application sources when you put a negative number at the ‘start’ parameter.
POC: /index.php?a=search&q=psstt&start=-4
.
Information Disclosure 2
(up to version 5.2.0)
Disclosure of full path of the application sources and some source code too when you put an non-existent user at ‘u’ parameter.
POC: /index.php?a=rate&u=nonexistentuser
.
#1 by Martyn - April 4th, 2010 at 04:51
running 5.2.1 here – I fixed the information disclosure 1 problem by adding a check for the start value being less than zero in search.php as follows
old code….
if (isset($FORM['start'])) {
$start = intval($FORM['start']);
if ($start > 0) {
$start–;
}
else {
$start = 0;
}
new code….
if (isset($FORM['start'])) {
$start = intval($FORM['start']);
if ($start > 0) {
$start–;
}
if ($start < 0) {
$start = 0;
}
else {
$start = 0;
}