High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in Pivotx which could be exploited to perform cross-site scripting attacks and disclose potentially sensitive information.
Cross-site scripting (XSS) vulnerabilities in Pivotx: CVE-2011-0772
1.1 The vulnerability exists due to input sanitation error in the “color” parameter in includes/blogroll.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in users browser in context of the vulnerable website. Exploitation example: http://[host]/includes/blogroll.php?id=1&color=123;}</style><script>alert("X SS");</script>| 1.2 The vulnerability exists due to input sanitation error in the "src" parameter in includes/timwrapper.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in user
s browser in context of the vulnerable website.
Exploitation example:
http://[host]/includes/timwrapper.php?src=%22%3E%3Cscript%3Ealert%28%22XSS%2 2%29;%3C/script%3E
Installation path disclosure weakness in Pivotx
The weakness exists due to application reveals the full path to installation directory in an error message. A remote attacker can directly access the /includes/ping.php or /includes/spamping.php scripts and gain knowledge of the web root directory and other potentially sensitive information.
Exploitation example:
http://[host]/includes/ping.php
http://[host]/includes/spamping.php