lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CALH-=7ydqfJeDZoQU_4ivczdqJDMo9ZTv1_WP6PATSYDPJRTaQ@mail.gmail.com>
Date: Wed, 24 Dec 2014 00:02:26 +0100
From: Steffen Rösemann <steffen.roesemann1986@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Reflecting XSS Vulnerability in CMS Contenido 4.9.x-4.9.5

Advisory: Reflecting XSS Vulnerability in CMS Contenido 4.9.x-4.9.5
Advisory ID: SROEADV-2014-03
Author: Steffen Rösemann
Affected Software: CMS Contenido 4.9.x-4.9.5 (Release: 10th Dec 2014)
Vendor URL: http://www.contenido.org/de/
Vendor Status: fixed
CVE-ID: -

==========================
Vulnerability Description:
==========================

The Content Management System Contenido 4.9.x to 4.9.5 has a reflecting XSS
vulnerability in its error-handler function which displays parameters on
the webpage when unexpected values are being transmitted by the client.
This vulnerability occurs when feature advanced mod rewrite (AMR) is
disabled, which rewrites urls for SEO purposes.

==================
Technical Details:
==================

If unexpected values are being transmitted via the parameters „idart“,
„lang“ and/or „idcat“ to the PHP-Script

http://{IP/HOSTNAME}/cms/front_content.php

an error will be thrown which displays the passed value to the user on the
webpage without sanitizing it.

Payload-Examples:

http://
{IP/HOSTNAME}/cms/front_content.php?idcat=41&lang=1<script>alert("XSS")</script>

http://{IP/HOSTNAME}/cms/front_content.php?idcat=41<iframe
src="some_remote_src" height="200" width="200" ></iframe>
&lang=1

http://
{IP/HOSTNAME}/cms/front_content.php?idart=32<script>alert(document.cookie)</script>

=========
Solution:
=========

Update to the latest version

====================
Disclosure Timeline:
====================

17-Dec-2014 – found the vulnerability
17-Dec-2014 - informed the developers
18-Dec-2014 - response by vendor
19-Dec-2014 – fix by vendor
24-Dec-2014 - release date of this security advisory
24-Dec-2014 - post on FullDisclosure

========
Credits:
========

Vulnerability found and advisory written by Steffen Rösemann.

===========
References:
===========

http://www.contenido.org/de/
http://sroesemann.blogspot.de

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ