We found multiple XSS issues in the sample code of the PHP Network client for WiKID, a Strong Authentication System. In detail identified reflected XSS were on the "login" page forms. Pretty standard issue from a technical standpoint: $PHP_SELF was not properly escaped and sanitized before being echoed back to the client, definitely a known scenario that still affect many different software.
WiKID wClient-PHP <= 3.0-2 Multiple XSS Vulnerabilities Name Multiple Vulnerabilities in wClient-PHP Systems Affected wClient-PHP 3.0-2 and earlier versions Severity Medium Impact (CVSSv2) Medium (5/10, vector: AV:N/AC:L/Au:N/C:C/I:N/A:N) Vendor http://www.wikidsystems.com/ Advisory http://www_ush_it/team/ush/hack-wclient/wikid.txt Author Francesco "ascii" Ongaro (ascii AT ush DOT it) Antonio "s4tan" Parata (s4tan AT ush DOT it) Date 20080411 I. BACKGROUND From the WiKID website: "The WiKID Strong Authentication System is a dual-source, software-based two-factor authentication system designed to be less expensive and more extensible than hardware tokens." II. DESCRIPTION In the wClient-PHP package PHP_SELF is echoed back to the client without proper sanitization leading to XSS issues. WiKID mantainers have released a new version of the software (3.0-3) that fixes exposed vulnerabilities and can be downloaded from the url: http://www.wikidsystems.com/downloads/network-clients Users that based their implementations on the code contained in sample.php are advised to upgrade. III. ANALYSIS During a review of the wClient-PHP-3.0-1.tar.gz package (an additional component of WiKID with network client functions) the following vulnerabilities were identified in the sample code: file sample.php, line 251: PHP_SELF insecure usage leads to XSS <form action="<?php echo $PHP_SELF ?>" method="POST" > file sample.php, line 269: PHP_SELF insecure usage leads to XSS <form action="<?php echo $PHP_SELF ?>" method="POST" > file sample.php, line 279: PHP_SELF insecure usage leads to XSS <form action="<?php echo $PHP_SELF ?>" method="POST" > file sample.php, line 292: possible PHP_SELF insecure usage leads to XSS <form action="<?php echo $PHP_SELF ?>" method="POST" > This one was not verified since it's not enabled in the version I have downloaded but probably it's exploitable in the exact same way as the other ones. file sample.php, line 306: PHP_SELF insecure usage leads to XSS <form action="<?php echo $PHP_SELF ?>" method="POST" > $PHP_SELF can be exploited by requesting an URL like file.php/<XSS>. Note: On recent PHP versions $PHP_SELF should be $_SERVER['PHP_SELF']. In case of register_globals=On on recent versions where the variable is undefined it's possible to override it by issuing PHP_SELF with the wished value in GPC (GET, POST, COOKIE). On old version of PHP it's possible to drive the value of PHP_SELF by GLOBALS poisoning [1]. Version 3.0-2 fix $PHP_SELF instances to $_SERVER['PHP_SELF'], users are strongly advised to do not use this version as it doesn't correctly fix presented vulnerabilities and is more exploitable than 3.0-1. An attacker can steal UserID, Passcode, Domain code and Registration code before they are sent back to the server itself and potentially poison the navigation of the user and steal other sensitive informations via social engineering (injecting additional fields in the form or showing "additional functions" to the user) abusing user's trust. Remediation consists in proper escaping the user controlled inputs. [1] http://www_ush_it/2006/01/25/php5-globals-vulnerability/ VII. CVE INFORMATION No CVE at this time. VIII. DISCLOSURE TIMELINE 20080320 Bug discovered 20080320 Vendor contacted 20080411 Advisory released IX. CREDIT Francesco "ascii" Ongaro and Antonio "s4tan" Parata are credited with the discovery of this vulnerability. Francesco "ascii" Ongaro web site: http://www_ush_it/ mail: ascii AT ush DOT it Antonio "s4tan" Parata web site: http://www.ictsc.it/ mail: s4tan AT ictsc DOT it, s4tan AT ush DOT it X. LEGAL NOTICES Copyright (c) 2008 Francesco "ascii" Ongaro Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without mine express written consent. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email me for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.