Micro CMS 1.0 b1 – Persistent Cross-Site Scripting

• Exploit Database
• 166 阅读

• 作者： SecPod Research
  日期： 2010-09-28
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/15147/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105

  ##############################################################################   Title: Micro CMS Persistent Cross-Site Scripting Vulnerability. Author : Veerendra G.G from SecPod Technologies (www.secpod.com) Vendor : http://www.micro-cms.com/ Advisory : http://secpod.org/blog/?p=135 http://secpod.org/advisories/SECPOD_MicroCMS.txt Version: Micro CMS 1.0 beta 1 Date : 09/28/2010   ###############################################################################   SecPod ID:100409/03/2010 Issue Discovered 09/05/2010 Vendor Notified No Response from Vendor     Class:Persistent Cross-Site Scripting Severity: High     Overview: --------- Micro CMS is prone to Persistent Cross-Site Scripting Vulnerability.   Technical Description: ---------------------- Micro CMS is prone to a Persistent Cross-Site vulnerability because it fails to properly sanitize user-supplied input.   Input passed via the &apos;name&apos; parameter(also in text-area) in a comment section to "comments/send/" is not properly verified before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user&apos;s browser session in the context of a vulnerable site. This may allow the attacker to steal cookie-based authentication and to launch further attacks.   The exploit has been tested in Micro CMS 1.0 beta 1     Impact: -------- Successful exploitation allows an attacker to execute arbitrary HTML and script code in a user&apos;s browser session in the context of a vulnerable site.     Affected Software: ------------------ Micro CMS 1.0 beta 1 and prior     References: ----------- http://www.micro-cms.com/ http://secpod.org/blog/?p=135 http://secpod.org/advisories/SECPOD_MicroCMS.txt     Proof of Concepts: ------------------ Add the following attack strings: 1. My XSS Test </legend><script> alert(&apos;XSS-Test&apos;)</script> <!--   OR   2. My XSS Test </legend><script> alert(&apos;XSS-Test&apos;)</script>   OR   3. <script> alert(&apos;XSS-Test&apos;)</script>   in "* Name" textbox in comment section and fill other sections properly.   NOTE :Some time above POC/Exploit will disable adding comments for that post.     Workaround: ----------- Not available     Solution: ---------- Not available     Risk Factor: ------------- CVSS Score Report: ACCESS_VECTOR= NETWORK ACCESS_COMPLEXITY= MEDIUM AUTHENTICATION = NOT_REQUIRED CONFIDENTIALITY_IMPACT = NONE INTEGRITY_IMPACT = PARTIAL AVAILABILITY_IMPACT= PARTIAL EXPLOITABILITY = PROOF_OF_CONCEPT REMEDIATION_LEVEL= UNAVAILABLE REPORT_CONFIDENCE= CONFIRMED CVSS Base Score= 5.8 (AV:N/AC:M/Au:NR/C:N/I:P/A:P) CVSS Temporal Score= 5.2 Risk factor= High   Credits: -------- Veerendra G.G of SecPod Technologies has been credited with the discovery of this vulnerability.