[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Micro CMS Persistent XSS Vulnerability.
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Micro CMS Persistent XSS Vulnerability.
- From: SecPod Research <research@xxxxxxxxxx>
- Date: Thu, 21 Oct 2010 19:06:41 +0530
Hi,
SecPod Research Team has found a Persistent Cross-Site vulnerability in
Micro CMS.
Advisory details has been attached to this mail.
Regards,
SecPod Research Team
http://www.secpod.com
##############################################################################
Micro CMS Persistent Cross-Site Scripting Vulnerability.
SecPod Technologies (www.secpod.com)
Author Veerendra G.G
###############################################################################
SecPod ID: 1004 09/03/2010 Issue Discovered
09/05/2010 Vendor Notified
No Response from Vendor
Class: Persistent Cross-Site Scripting Severity: High
Overview:
---------
Micro CMS is prone to Persistent Cross-Site Scripting Vulnerability.
Technical Description:
----------------------
Micro CMS is prone to a Persistent Cross-Site vulnerability because it fails to
properly sanitize user-supplied input.
Input passed via the 'name' parameter(also in text-area) in a comment section
to "comments/send/" is not properly verified before it is returned to the
user. This can be exploited to execute arbitrary HTML and script code in a
user's browser session in the context of a vulnerable site. This may allow
the attacker to steal cookie-based authentication and to launch further attacks.
The exploit has been tested in Micro CMS 1.0 beta 1
Impact:
--------
Successful exploitation allows an attacker to execute arbitrary HTML and script
code in a user's browser session in the context of a vulnerable site.
Affected Software:
------------------
Micro CMS 1.0 beta 1 and prior
References:
-----------
http://www.micro-cms.com/
http://secpod.org/blog/?p=135
http://www.exploit-db.com/exploits/15147/
http://secpod.org/advisories/SECPOD_MicroCMS.txt
Proof of Concepts:
------------------
Add the following attack strings:
1. My XSS Test </legend><script> alert('XSS-Test')</script> <!--
OR
2. My XSS Test </legend><script> alert('XSS-Test')</script>
OR
3. <script> alert('XSS-Test')</script>
in "* Name" textbox in comment section and fill other sections properly.
NOTE : Some time above POC/Exploit will disable adding comments for that post.
Workaround:
-----------
Not available
Solution:
----------
Not available
Risk Factor:
-------------
CVSS Score Report:
ACCESS_VECTOR = NETWORK
ACCESS_COMPLEXITY = MEDIUM
AUTHENTICATION = NOT_REQUIRED
CONFIDENTIALITY_IMPACT = NONE
INTEGRITY_IMPACT = PARTIAL
AVAILABILITY_IMPACT = PARTIAL
EXPLOITABILITY = PROOF_OF_CONCEPT
REMEDIATION_LEVEL = UNAVAILABLE
REPORT_CONFIDENCE = CONFIRMED
CVSS Base Score = 5.8 (AV:N/AC:M/Au:NR/C:N/I:P/A:P)
CVSS Temporal Score = 5.2
Risk factor = High
Credits:
--------
Veerendra G.G of SecPod Technologies has been credited with the discovery of
this vulnerability.
- Prev by Date:
Re: Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass
- Next by Date:
[security bulletin] HPSBMA02592 SSRT100300 rev.1 - HP Systems Insight Manager (SIM) for HP-UX, Linux, and Windows Running Adobe Flash, Remote Execution of Arbitrary Code, Denial of Service (DoS), Unauthorized Modification
- Previous by thread:
[ MDVSA-2010:207 ] glibc
- Next by thread:
[security bulletin] HPSBMA02592 SSRT100300 rev.1 - HP Systems Insight Manager (SIM) for HP-UX, Linux, and Windows Running Adobe Flash, Remote Execution of Arbitrary Code, Denial of Service (DoS), Unauthorized Modification
- Index(es):