lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CALH-=7zv8Y2SXvweDHzr2gnGBWXd9D6p2aBvC9tHy68ots7oNA@mail.gmail.com>
Date: Fri, 9 Jan 2015 06:22:07 +0100
From: Steffen Rösemann <steffen.roesemann1986@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Reflecting XSS vulnerability in CMS e107 v. 1.0.4

Advisory: Reflecting XSS vulnerability in CMS e107 v. 1.0.4
Advisory ID: SROEADV-2014-05
Author: Steffen Rösemann
Affected Software: CMS e107 v. 1.0.4
Vendor URL: http://e107.org
Vendor Status: did not respond to issue
CVE-ID: -

==========================
Vulnerability Description:
==========================

The CMS e107 v. 1.0.4 has a reflecting XSS vulnerability in its
administrative backend which can be exploited by bypassing an XSS filter.

==================
Technical Details:
==================

The filemanager functionality of CMS e107 v. 1.0.4 has a reflecting XSS
vulnerability. The filemanager is located here on a normal e107
installation:

http://{TARGET}/e107_admin/filemanager.php

The e107 files are located in the following folder, which is created when
installing the CMS:

http://{TARGET}/e107_admin/filemanager.php?e107_files/

By appending specially crafted HTML and/or JavaScript-code, an attacker
could exploit this vulnerability.

Exploit-Example:

http://{TARGET}/e107_admin/filemanager.php?e107_files/%3C%73%63%72%69%70%74%3Ealert(String.fromCharCode(34,
88, 83, 83,
34))%3C%2F%73%63%72%69%70%74%3E%3C!--%3C%2F%73%63%72%69%70%74%3E%3C!--

=========
Solution:
=========

Vendor didn't responded to this issue, as it is announced that issues on
e107 v. 1.0.4 are handled on lower priority.


====================
Disclosure Timeline:
====================
26/27-Dec-2014 – found the vulnerability
27-Dec-2014 - informed the developers
27-Dec-2014 – release date of this security advisory [without technical
details]
03-Dec-2014 - opened up an issue on Github as vendor not responded (see
https://github.com/e107inc/e107v1/issues/2)
09-Jan-2015 - release date of this security advisory
09-Jan-2015 - send to lists



========
Credits:
========

Vulnerability found and advisory written by Steffen Rösemann.

===========
References:
===========

[1] http://e107.org
[2] http://sroesemann.blogspot.de/2014/12/sroeadv-2014-05.html
[3] https://github.com/e107inc/e107v1/issues/2
[4]
http://sroesemann.blogspot.de/2015/01/report-for-advisory-sroeadv-2014-05.html

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists