TISA2007-06-Public.txt
Posted on 17 July 2007
========================================================================= TeamIntell Security Advisory TISA2007-06-Public ------------------------------------------------------------------------- Element CMS "s" parameter script insertion vulnerability ========================================================================= Release Date: 14.7.2007 Severity: Less critical Impact: Cross-site scripting (XSS) Status: Official patch not available (0-day) Software: Element CMS Vendor: http://www.element.si http://www.elementcms.si Disclosed: Edi Strosar (TeamIntell) Description: ============ Element CMS, a full featured Slovenian content management system, is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. Input passed to the "s" parameter in default.asp is not properly sanitized before being used. This can be exploited to insert arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerability is reported in all versions of Element CMS. Proof of Concept: ================= http://demo2.element.si/default.asp?pID=search&mid=sl&s="><script>alert(String.fromCharCode(88,83,83))</script> Solution: ========= Vendor informed. Official patch not available. Note: because of arrogant and unprofessional vendor's response TeamIntell decided to release the advisory. Contact: ======== Maldin d.o.o. Trzaska cesta 2 1000 Ljubljana - SI tel: +386 (0)590 70 170 fax: +386 (0)590 70 177 gsm: +386 (0)31 816 400 web: www.teamintell.com e-mail: info@teamintell.com Disclaimer: =========== The content of this report is purely informational and meant for educational purposes only. Maldin d.o.o. shall in no event be liable for any damage whatsoever, direct or implied, arising from use or spread of this information. Any use of information in this advisory is entirely at user's own risk. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/