seagull-063-xss.txt
Posted on 25 January 2008
__fuzion___ ____ ______/ \__// \__/____\n_/ \_/ : //____\ /| : : .. / \n| | :: :: / | | :| || \______/ | | || || | / | | || || | / | \n| || || | / /_ \n| ___ || ___ || | / / \n\_-_/ \_-_/ | ____ |/__/ \n_\_--_/ / /____ / / / \______\_________/ Product: Seagull STABLE 0.6.3 http://seagullproject.org/ Vulnerable: Seems that none of the theme css renderers sanatize variables against cross site scripting. Register Globals = ON Multiple Cross Site Scripting problems: http://[site]/themes/default1/css/blockStyle.php?secondary=[xss] Also vulnerable: themes/default1/css/core.php themes/default1/css/event.php themes/default1/css/media.php themes/default1/css/publisher.php themes/default1/css/SglDefault_TwoLevel.nav.php themes/default1/css/SglListamaticSubtle.nav.php themes/default_admin/css/adminMenu_vertical.nav.php themes/default_admin/css/block.php themes/default_admin/css/blockStyle.php themes/default_admin/css/cms.php themes/default_admin/css/comment.php themes/default_admin/css/core.php themes/default_admin/css/navigation.php themes/default_admin/css/publisher.php themes/default_admin/css/user.php Some common vulnerable variables: secondary fontFamilyAlt primaryLight greyLightest leftColWidth grey primaryDark primary baseUrl Several of these cause path disclosure as well: http://[site]/themes/default_admin/css/core.php PoC: http://demo.seagullproject.org/themes/default_admin/css/core.php Other vulnerabilties may be available if Seagull was not properly installed: http://[site]/[path]/etc/mysql5_field_test.php?res=[xss] http://[site]/[path]/modules/event/www/css/event.php?baseUrl=[xss] http://[site]/[path]/modules/media/www/css/media.php?greyDark=[xss]
