[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Persistent XSS Vulnerability in CMS Papoo Light v6.0.0 Rev. 4701

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Persistent XSS Vulnerability in CMS Papoo Light v6.0.0 Rev. 4701
From: steffen.roesemann1986@xxxxxxxxx
Date: Mon, 15 Dec 2014 13:11:31 GMT

Advisory: Persistent XSS Vulnerability in CMS Papoo Light v6
Advisory ID: SROEADV-2014-01
Author: Steffen Rösemann
Affected Software: CMS Papoo Version 6.0.0 Rev. 4701
Vendor URL: http://www.papoo.de/
Vendor Status: fixed
CVE-ID: -

==========================
Vulnerability Description:
==========================

The CMS Papoo Light Version has a persistent XSS vulnerability in its guestbook 
functionality and in its user-registration functionality.

==================
Technical Details:
==================

XSS-Vulnerability #1:

Papoo Light CMS v6 provides the functionality to post comments on a guestbook 
via the following url: http://{target-url}/guestbook.php?menuid=6.

The input fields with the id ?author? is vulnerable to XSS which gets stored in 
the database and makes that vulnerability persistent.

Payload-Examples:

<img src='n' onerror=?javascript:alert('XSS')? >
<iframe src=?some_remote_source?></iframe>

XSS-Vulnerability #2:

People can register themselves on Papoo Light v6 CMS at 
http://{target-url}/account.php?menuid=2. Instead of using a proper username, 
an attacker can inject HTML and/or JavaScriptcode on the username input-field.

Code gets written to the database backend then. Attacker only has to confirm 
his/her e-mail address to be able to login and spread the code by posting to 
the forum or the guestbook where the username is displayed.

Payload-Examples:

see above (XSS #1)

=========
Solution:
=========

Update to the latest version

====================
Disclosure Timeline:
====================
13-Dec-2014 ? found XSS #1
13-Dec-2014 - informed the developers (XSS #1)
14-Dec-2014 ? found XSS #2
14-Dec-2014 ? informed the developers (XSS #2)
15-Dec-2014 - release date of this security advisory
15-Dec-2014 - response and fix by vendor
15-Dec-2014 - post on BugTraq

========
Credits:
========

Vulnerability found and advisory written by Steffen Rösemann.

===========
References:
===========

http://www.papoo.de/
http://sroesemann.blogspot.de

Prev by Date: Vulnerabilities in Ekahau Real-Time Location Tracking System [MZ-14-01]
Next by Date: [ MDVSA-2014:253 ] apache-mod_wsgi
Previous by thread: Vulnerabilities in Ekahau Real-Time Location Tracking System [MZ-14-01]
Next by thread: [ MDVSA-2014:253 ] apache-mod_wsgi
Index(es):
- Date
- Thread