Cross-site Scripting (XSS) Vulnerabilities in Calendarix

2011-04-26T00:00:00
ID HTB22974
Type htbridge
Reporter High-Tech Bridge
Modified 2011-04-26T00:00:00

Description

High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in Calendarix which could be exploited to perform cross-site scripting attacks.

1) Cross-site scripting (XSS) vulnerabilities in Calendarix
1.1 The vulnerability exists due to input sanitation errors in URL in cal_login.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in users browser in context of the vulnerable website. Exploitation example: http://[host]/cal_login.php/%27%3E%3Cscript%3Ealert%28123%29;%3C/script%3E 1.2 The vulnerability exists due to input sanitation error in the "gocat" parameter in cal_catview.php. A remote attacker can send a specially crafted HTTP POST request to the vulnerable script and execute arbitrary HTML and script code in users browser in context of the vulnerable website.
Exploitation example:
<form action="http://[host]/cal_catview.php?catop=viewcat" method="post" name="main" />
<input type="hidden" name="gocat" value="'</script><script>alert(document.cookie);</script>"/>
<input type="submit" value="submit"/>
</form>
1.3 The vulnerability exists due to input sanitation errors in the "frmname" and "leftfooter" parameters in cal_date.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website.
Exploitation examples:
http://[host]/cal_date.php?frmname=%3C/script%3E%3Cscript%3Ealert%28123%29;% 3C/script%3E
http://[host]/cal_footer.inc.php?leftfooter=%3Cscript%3Ealert%28123%29;%3C /script%3E