Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2010-2022 Tenable Network Security, Inc.SILVERSTRIPE_FORUMS_XSS.NASL
HistoryJan 28, 2010 - 12:00 a.m.

SilverStripe Forums Module 'Search' Parameter XSS

2010-01-2800:00:00
This script is Copyright (C) 2010-2022 Tenable Network Security, Inc.
www.tenable.com
13

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

EPSS

0.006

Percentile

78.2%

JSON

The SilverStripe CMS install hosted on the remote web server includes a version of the Forums module that is affected by a cross-site scripting vulnerability. User input to the ‘Search’ parameter is not sanitized before being used to generate dynamic HTML.

An attacker can exploit this flaw to execute arbitrary script code in a user’s browser.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(44332);
  script_version("1.14");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2010-1593");
  script_bugtraq_id(37923);
  script_xref(name:"SECUNIA", value:"38347");

  script_name(english:"SilverStripe Forums Module 'Search' Parameter XSS");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server hosts a PHP application that is affected by a
cross-site scripting vulnerability.");
  script_set_attribute(attribute:"description", value:
"The SilverStripe CMS install hosted on the remote web server includes
a version of the Forums module that is affected by a cross-site
scripting vulnerability.  User input to the 'Search' parameter is not
sanitized before being used to generate dynamic HTML.

An attacker can exploit this flaw to execute arbitrary script code in a
user's browser.");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2010/Jan/445");
  script_set_attribute(attribute:"see_also", value:"http://www.silverstripe.org/silverstripe-2-3-5-released/");
  # https://groups.google.com/forum/?hl=en#!topic/silverstripe-announce/cdt-HGgEVtI
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?235cb799");
  script_set_attribute(attribute:"solution", value:
"Upgrade to SilverStripe Forums module 0.2.2 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

  script_set_attribute(attribute:"vuln_publication_date", value:"2010/01/22");
  script_set_attribute(attribute:"patch_publication_date", value:"2010/01/22");
  script_set_attribute(attribute:"plugin_publication_date", value:"2010/01/28");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:silverstripe:silverstripe");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses : XSS");

  script_copyright(english:"This script is Copyright (C) 2010-2022 Tenable Network Security, Inc.");

  script_dependencies("silverstripe_detect.nasl");
  script_require_keys("www/PHP", "www/silverstripe");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("url_func.inc");
include("webapp_func.inc");

port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(1, "The web server on port "+port+" does not support PHP.");

install = get_install_from_kb(appname:'silverstripe', port:port);
if (isnull(install)) exit(1, "SilverStripe CMS wasn't detected on port "+port+".");

res = http_send_recv3(method:"GET", item:install['dir']+'/forums/', port:port);
if (isnull(res)) exit(1, "The web server on port "+port+" failed to respond.");

data = strstr(res[2], '<td class="even lastPost">') - '<td class="even lastPost">';

matches = eregmatch(string:data, pattern:'<a class="topicTitle" href=.*/show/.*>(.*)</a>');

topic = matches[1];
exploit = '"onMouseOver="alert(\''+topic+' '+SCRIPT_NAME+unixtime()+'\')"';

exploited = test_cgi_xss(
  port:port,
  dirs:make_list(install['dir']),
  cgi:"/forums/search/",
  qs:"Search="+urlencode(str:exploit),
  pass_str:'<a href="forums/search/?Search='+exploit+'" class="current"',
  ctrl_re:'SilverStripe Open Source CMS'
);

if (!exploited)
{
  install_url = build_url(qs:install['dir']+'/',port:port);
  exit(0, "The SilverStripe CMS install at " + install_url + " is not affected.");
}

Related

cve 1
cvelist 1
nvd 1
prion 1
cve
cve
CVE-2010-1593
2010-04-28 23:30:00
cvelist
cvelist
CVE-2010-1593
2010-04-28 23:00:00
nvd
nvd
CVE-2010-1593
2010-04-28 23:30:00
prion
prion
Cross site scripting
2010-04-28 23:30:00

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

EPSS

0.006

Percentile

78.2%

JSON
Related for SILVERSTRIPE_FORUMS_XSS.NASL
cve1cvelist1nvd1prion1