[webapps / 0day] - Micro CMS v1.0 b1 Persistent XSS Vulnerab
Posted on 28 September 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Micro CMS v1.0 b1 Persistent XSS Vulnerability | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Date: 28 Sep 2010 | Exploit category: webapps / 0day | Exploit author: n/a | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>============================================== Micro CMS v1.0 b1 Persistent XSS Vulnerability ============================================== Class: Persistent Cross-Site Scripting Severity: High Overview: --------- Micro CMS is prone to Persistent Cross-Site Scripting Vulnerability. Technical Description: ---------------------- Micro CMS is prone to a Persistent Cross-Site vulnerability because it fails to properly sanitize user-supplied input. Input passed via the 'name' parameter(also in text-area) in a comment section to "comments/send/" is not properly verified before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of a vulnerable site. This may allow the attacker to steal cookie-based authentication and to launch further attacks. The exploit has been tested in Micro CMS 1.0 beta 1 Impact: -------- Successful exploitation allows an attacker to execute arbitrary HTML and script code in a user's browser session in the context of a vulnerable site. Affected Software: ------------------ Micro CMS 1.0 beta 1 and prior References: ----------- http://www.micro-cms.com/ http://secpod.org/blog/?p=135 http://secpod.org/advisories/SECPOD_MicroCMS.txt Proof of Concepts: ------------------ Add the following attack strings: 1. My XSS Test </legend><script> alert('XSS-Test')</script> <!-- OR 2. My XSS Test </legend><script> alert('XSS-Test')</script> OR 3. <script> alert('XSS-Test')</script> in "* Name" textbox in comment section and fill other sections properly. NOTE : Some time above POC/Exploit will disable adding comments for that post. Workaround: ----------- Not available Solution: ---------- Not available Risk Factor: ------------- CVSS Score Report: ACCESS_VECTOR = NETWORK ACCESS_COMPLEXITY = MEDIUM AUTHENTICATION = NOT_REQUIRED CONFIDENTIALITY_IMPACT = NONE INTEGRITY_IMPACT = PARTIAL AVAILABILITY_IMPACT = PARTIAL EXPLOITABILITY = PROOF_OF_CONCEPT REMEDIATION_LEVEL = UNAVAILABLE REPORT_CONFIDENCE = CONFIRMED CVSS Base Score = 5.8 (AV:N/AC:M/Au:NR/C:N/I:P/A:P) CVSS Temporal Score = 5.2 Risk factor = High # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-28]</pre></body></html>
