Vulnerabilities > CVE-2002-1802 - HTML Injection vulnerability in Xoops 1.0Rc3

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
xoops
nessus
exploit available

Summary

Cross-site scripting (XSS) vulnerability in Xoops 1.0 RC3 allows remote attackers to inject arbitrary web script or HTML via Javascript in an IMG tag when submitting news.

Vulnerable Configurations

Part Description Count
Application
Xoops
1

Exploit-Db

descriptionXOOPS 1.0 RC3 HTML Injection Vulnerability. CVE-2002-1802. Webapps exploit for php platform
idEDB-ID:21829
last seen2016-02-02
modified2002-09-24
published2002-09-24
reporter[email protected]
sourcehttps://www.exploit-db.com/download/21829/
titleXOOPS 1.0 RC3 HTML Injection Vulnerability

Nessus

NASL familyCGI abuses
NASL idXOOPS_PATH_DISCLOSURE.NASL
descriptionThe version of XOOPS installed on the remote host is affected by SQL injection, cross-site scripting, and information disclosure.
last seen2020-06-01
modified2020-06-02
plugin id11439
published2003-03-22
reporterThis script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/11439
titleXOOPS 1.0 RC1 Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

# Ref :
#  Date: 20 Mar 2003 19:58:55 -0000
#  From: "Gregory" Le Bras <[email protected]>
#  To: [email protected]
#  Subject: [SCSA-011] Path Disclosure Vulnerability in XOOPS
#
# This check will incidentally cover other flaws.


include("compat.inc");

if (description)
{
 script_id(11439);
 script_version("1.25");
 script_cvs_date("Date: 2018/11/15 20:50:19");
 script_cve_id("CVE-2002-0216", "CVE-2002-0217", "CVE-2002-1802");
 script_bugtraq_id(3977, 3978, 3981, 5785, 6344, 6393);

 script_name(english:"XOOPS 1.0 RC1 Multiple Vulnerabilities");
 script_summary(english:"Checks for XOOPS");

 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is prone to
multiple vulnerabilities." );
 script_set_attribute(attribute:"description", value:
"The version of XOOPS installed on the remote host is affected by SQL
injection, cross-site scripting, and information disclosure." );
 script_set_attribute(attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=104820295115420&w=2");
 script_set_attribute(attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=101232435812837&w=2" );
 script_set_attribute(attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=101232476214247&w=2" );
 script_set_attribute(attribute:"solution", value:"Unknown at this time.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
 script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

 script_set_attribute(attribute:"vuln_publication_date", value:"2002/01/29");
 script_set_attribute(attribute:"plugin_publication_date", value:"2003/03/22");

script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 script_category(ACT_ATTACK);
 script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
 script_family(english:"CGI abuses");
 script_dependencie("xoops_detect.nasl");
 script_require_ports("Services/www", 80);
 script_require_keys("www/xoops");
 exit(0);
}

# The script code starts here
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");

port = get_http_port(default:80, php: 1);


# Test an install.
z = get_install_from_kb(appname: "xoops", port: port, exit_on_fail: 1);

d = z['dir'];

u = strcat(d, "/index.php?xoopsOption=nessus");
w = http_send_recv3(method:"GET", item: u, port:port, exit_on_fail: 1);
if (egrep(pattern:"Fatal error.* in <b>/", string: w[2]))
{
  if (report_verbosity <= 0)
    security_hole(port);
  else
  {
    e = get_vuln_report(items: u, port: port);
    security_hole(port: port, extra: e);
  }
  set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
  set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
  exit(0);
}