Message-ID: <alpine.LNX.2.00.1009301534310.27572@forced.attrition.org>
Date: Thu, 30 Sep 2010 15:38:22 -0500 (CDT)
From: security curmudgeon <jericho@...rition.org>
To: advisory@...ridge.ch
Cc: bugtraq@...urityfocus.com
Subject: Re: XSS vulnerability in Pluck


: Vulnerability ID: HTB22610
: Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_pluck.html
: Vulnerable Version: 4.6.3 and probably prior versions
: Vendor Notification: 15 September 2010 
: Vulnerability Type: XSS (Cross Site Scripting)
: Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
: Risk level: Medium 
: Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/) 

: Vulnerability Details:
: User can execute arbitrary JavaScript code within the vulnerable application.
: 
: The vulnerability exists due to failure in the 
: "data/modules/blog/pages_admin/newpost.php" script to properly sanitize 
: user-supplied input in "cont1" variable. Successful exploitation of this 
: vulnerability could result in a compromise of the application, theft of 
: cookie-based authentication credentials, disclosure or modification of 
: sensitive data.

First off, this requires administrator credentials to exploit. Second, a 
Pluck administrator can already insert any content s/he desires by 
creating/editing a page, so there is no gain from using this intended 
functionality. For this attack to take place, it would really require 
something like a CSRF.

Fortunately for attackers, it seems you guys missed the CSRF in this 
application that HolisticInfoSec found:

http://holisticinfosec.org/content/view/154/45/

Keep up the solid research guys.

- security curmudgeon

Powered by blists - more mailing lists