[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Stored XSS vulnerability in diafan.CMS

To: advisory@xxxxxxxxxxx
Subject: Re: Stored XSS vulnerability in diafan.CMS
From: security curmudgeon <jericho@xxxxxxxxxxxxx>
Date: Wed, 27 Apr 2011 00:01:43 -0500 (CDT)

: Vulnerability ID: HTB22776
: Reference: 
http://www.htbridge.ch/advisory/stored_xss_vulnerability_in_diafan_cms.html
: Product: diafan.CMS

: Vulnerability Details:
: User can execute arbitrary JavaScript code within the vulnerable application.
: 
: The vulnerability exists due to failure in the 
: "http://host/admin/site/save2/"; script to properly sanitize 
: user-supplied input in "text" variable. Successful exploitation of this 
: vulnerability could result in a compromise of the application, theft of 
: cookie-based authentication credentials, disclosure or modification of 
: sensitive data.

This is the site editor functionality, correct? This requires 
administrative access and is *designed* to allow the admin to enter any 
HTML or script code desired.

If an attacker can access this page, couldn't they do other bad things? Is 
there really a crossing of privilege boundary here?

Prev by Date: [security bulletin] HPSBMA02667 SSRT100464 rev.2 - HP SiteScope, Cross Site Scripting (XSS) and HTML Injection
Next by Date: B-Sides Vienna | NinjaCon 11 Call For Participation
Previous by thread: [security bulletin] HPSBMA02667 SSRT100464 rev.2 - HP SiteScope, Cross Site Scripting (XSS) and HTML Injection
Next by thread: B-Sides Vienna | NinjaCon 11 Call For Participation
Index(es):
- Date
- Thread