Zero Science Lab » webgrind 1.0 (dataFile) Remote Reflected XSS Vulnerability

webgrind 1.0 (dataFile) Remote Reflected XSS Vulnerability

Title: webgrind 1.0 (dataFile) Remote Reflected XSS Vulnerability
Advisory ID: ZSL-2012-5073
Type: Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 17.02.2012

Summary

Webgrind is an Xdebug profiling web frontend in PHP5.

Description

webgrind suffers from a XSS vulnerability when parsing user input to the 'dataFile' parameter via GET method in the index.php script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.

--------------------------------------------------------------------------------


/index.php:

-----------

24: case 'function_list':

25: $dataFile = get('dataFile');

--------------------------------------------------------------------------------

Vendor

Joakim Nygard and Jacob Oettinger - http://code.google.com/p/webgrind

Affected Version

1.0

Tested On

Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.21
PHP 5.3.9
MySQL 5.5.20

Vendor Status

[13.02.2012] Vulnerability discovered.
[16.02.2012] Vendor notified.
[17.02.2012] Public security advisory released.
[17.02.2012] Vendor states that the issue is fixed in the current version in trunk on GitHub.

PoC

webgrind_xss.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] http://code.google.com/p/webgrind/issues/detail?id=65
[2] https://github.com/jokkedk/webgrind
[3] http://packetstormsecurity.org/files/109922/Webgrind-1.0-Cross-Site-Scripting.html
[4] http://cxsecurity.com/issue/WLB-2012020152
[5] http://www.securityfocus.com/bid/52068
[6] http://xforce.iss.net/xforce/xfdb/73337

Changelog

[17.02.2012] - Initial release
[18.02.2012] - Added reference [3], [4] and [5]
[25.02.2012] - Added reference [6]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk