[<prev] [next>] [day] [month] [year] [list]
From: b240503 at gyrniff.dk (gyrniff)
Subject: XSS in Synkron.web CMS
Release Date: 06.06.2003
Application: Synkron.web 3
Vendor: http://www.synkron.com/
Category: XSS
Risk: Low
Vendor Status: Absend
Author: Torben 'Gyrniff' Frohn
Intro
====
Synkron.web 3 is a module based CMS running on IIS.
"Ever since 1997, it has been Synkron's mission to help companies manage on
their own when setting up a presence on the Internet. To achieve this,
Synkron has developed a so-called "Web content management" system, which
everyone with a user-level knowledge of IT can learn to use in less than a
single day." (quote from vendor site.)
Problem
======
The search module do not html encode incoming special characters in the
output. It is not an easy task to exploit because of the POST method used in
the search, but synkron .web have a caching that could be used in an exploit.
Proof of Concept
=============
First visit the search page:
http://www.example.net/sw000.asp
Then search for:
"><script>alert('test')</script>
You will see a javascript pop-up.
Finally visit the cached page:
http://www.example.net/sw000.asp?SearchCacheId=xx\
&SearchPageNumberII=1&SearchParaId=y&SearchParaType=zzz
This will show the same javascript pop-up as above.
Full Disclosure
===========
N/A, but http://www.synkron.com/ contain links to vulnerable sites.
Fix
===
Unknown but probably fixed in version 3.5.
Credits
=====
Vulnerability found by Torben Frohn (Gyrniff)
Powered by blists - more mailing lists