lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <003d01ccbdd0$2ef86620$9b7a6fd5@ml> Date: Sun, 18 Dec 2011 23:56:30 +0200 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk> Subject: CS and XSS vulnerabilities in Zeema CMS Hello list! I want to warn you about Content Spoofing and Cross-Site Scripting vulnerabilities in Zeema CMS. It's Ukrainian commercial CMS. ------------------------- Affected products: ------------------------- Vulnerable are all versions of Zeema CMS. ---------- Details: ---------- Content Spoofing (WASC-12): Because of possibility of direct request to script http://site/counter/counter.php with spoofing of parameter ref and Referer header, the statistic manipulation is possible (with the purpose of referer spoofing, SEO spam, malware spam and littering and distortion of the statistic). At that, if statistic module was turned off, then for conducting of CS and XSS attacks it can be bypassed by direct request to script counter.php. XSS (persistent) (WASC-08): At requests to external pages of the site there is insufficient input data validation in Referer header, which allows to conduct Persistent XSS attack. The code will execute at different pages of statistic. Send the next value of Referer header at visiting of any external page of web site: Referer: http://site.com/?<script>alert(document.cookie)</script> At requests to counter.php there is insufficient input data validation in parameter ref, which allows to conduct Persistent XSS attack. The code will execute at different pages of statistic. http://site/counter/counter.php?site=counter&screen=1024x768&color=32&ref=http://www.sites.com/?%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E With setting Referer header (any URL): Referer: http://site.com At requests to counter.php there is insufficient input data validation in Referer header, which allows to conduct Persistent XSS attack. The code will execute at different pages of statistic. http://site/counter/counter.php?site=counter&screen=1024x768&color=32&ref=http://site.com With setting Referer header: Referer: http://site.com/?<script>alert(document.cookie)</script> ------------ Timeline: ------------ 2011.09.12 - found vulnerabilities during audit. After that client straight away informed developers. 2011.11.03 - announced at my site. 2011.11.04 - informed developers. 2011.12.17 - disclosed at my site. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/5486/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists