Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Pagelime CMS XSS / Credential Disclosure

🗓️ 14 Oct 2013 00:00:00Reported by Juan Carlos GarciaType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 47 Views

Pagelime CMS XSS / Credential Disclosure. Hosted CMS for managing website content. Vulnerable to jQuery XSS, unencrypted __VIEWSTATE parameter, clear text credentials sent, and password-guessing attack

Code
`=================================================================================================================================================  
PAGELIME CMS jQuery Cross Site Scripting / Unencrypted __VIEWSTATE parameter / User credentials are sent in clear text / Login page password-guessing attack  
=================================================================================================================================================  
  
Not Response Not Fixed  
Full Disclosure  
  
I. VULNERABILITY  
-------------------------  
#Title: PAGELIME CMS PAGELIME CMS jQuery Cross Site Scripting / Unencrypted __VIEWSTATE parameter / User credentials are sent in clear text / Login page password-guessing attack  
  
#Vendor:http://cms.pagelime.com/CMS/Login.aspx  
  
#Author:Juan Carlos García (@secnight)  
  
#Follow me   
  
Twitter:@secnight  
  
II. DESCRIPTION  
-------------------------  
  
PageLime is a hosted Content Management System (CMS) for designers, web agencies, and web developers. It allows you to manage text, images, and documents on your site by logging into a web-app that's hosted on our servers. The best part   
  
is that it doesn't matter where your site is hosted, it doesn't matter whether you use PHP, Java, or ASP (or no scripting platform), and you don't have to make a single change to your site architecture.  
  
  
III. PROOF OF CONCEPT  
-------------------------  
  
jQuery Cross Site Scripting  
****************************  
  
  
Vulnerability description  
---------------------------  
  
This page is using an older version of jQuery that is vulnerable to a Cross Site Scripting vulnerability.  
Many sites are using to select elements using location.hash that allows someone to inject script into the page. This problem was fixed in jQuery 1.6.3.   
  
Affected items  
----------------  
  
/linked/js/jquery/jquery.js   
  
  
The impact of this vulnerability  
-------------------------------------  
  
Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the   
  
user. It is also possible to modify the content of the page presented to the user.   
  
How to fix this vulnerability  
--------------------------------  
Update to the latest version of jQuery.  
  
Web references  
--------------  
jQuery 1.6.3 Released   
  
  
Unencrypted __VIEWSTATE parameter  
*********************************  
  
/cms/login.aspx  
  
  
Vulnerability description  
-------------------------  
  
The __VIEWSTATE parameter is not encrypted. To reduce the chance of someone intercepting the information stored in the ViewState, it is good design to encrypt the ViewState.  
To do this, set the machineKey validation type to 3DES. This instructs ASP.NET to encrypt the ViewState value using the Triple DES symmetric encryption algorithm.  
  
Attack details  
-----------------  
form name: "frmMain"  
form action: "Login.aspx"  
VIEWSTATE: "/wEPDwUKMTgxMjY1MTI5NWRk"  
  
How to fix this vulnerability  
-------------------------------  
Open Web.Config and add the following line under the <system.web> element:   
  
<machineKey validation="3DES"/>   
  
  
  
User credentials are sent in clear text  
*****************************************  
  
/cms/login.aspx  
/cms/login.aspx (4cc8ecea42c4617e027d8b851edda7cc)  
  
User credentials are transmitted over an unencrypted channel.   
This information should always be transferred via an encrypted channel (HTTPS) to avoid being intercepted by malicious users.  
A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection.  
Because user credentials are considered sensitive information, should always be transferred to the server over an encrypted connection (HTTPS).  
  
  
Login page password-guessing attack  
***********************************  
  
/cms/login.aspx  
  
A common threat web developers face is a password-guessing attack known as a brute force attack.   
A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you discover the one correct combination that works.   
  
This login page doesn't have any protection against password-guessing attacks (brute force attacks). It's recommended to implement some type of account lockout after a defined number of incorrect password attempts. Consult Web references   
  
for more information about fixing this problem.   
  
Attack Details  
--------------  
  
Tested 10 invalid credentials and no account lockout was detected.  
  
POST /cms/login.aspx HTTP/1.1  
  
  
ctlLogin%24btnLogin=Login&ctlLogin%24btnResetPassword=Reset%20Password&ctlLogin%24hdnHashValue=&ctlLogin%24txtEmail=PmenOCN2%40cms.pagelime.com&ctlLogin%24txtForgotPasswordEmail=sample%40email.tst&ctlLogin  
  
%24txtPassword=qFh0EThN&__EVENTVALIDATION=%2fwEWBwKBjI%2bBBQLz36bfDwLG5PUzAqSqy6IPAteqpu0GAuC699oKAor8x9QJ&__VIEWSTATE=  
  
%2fwEPDwUKMTgxMjY1MTI5NQ9kFgICAw9kFgICAQ9kFgJmD2QWAgIFDw8WCB4IQ3NzQ2xhc3MFA3JlZB4EVGV4dAU4V2UgY291bGQgbm90IGZpbmQgdGhlIHNwZWNpZmllZCBlbWFpbC4gUGxlYXNlIHRyeSBhZ2Fpbi4eBF8hU0ICAh4HVmlzaWJsZWdkZGQ%3d  
  
  
The impact of this vulnerability  
----------------------------------  
An attacker may attempt to discover a weak password by systematically trying every possible combination of letters, numbers, and symbols until it discovers the one correct combination that works.  
  
  
How to fix this vulnerability  
--------------------------------  
It's recommended to implement some type of account lockout after a defined number of incorrect password attempts.   
  
  
  
IV. BUSINESS IMPACT  
-------------------------  
This type of failure Banks On line they have so many customers are extremely dangerous because they   
can be a serious impact on customers. No bank can have bugs in the code. Customer trust can be affected  
  
V SOLUTION  
------------------------  
  
Secure Code and Update JQuery  
  
  
VI. CREDITS  
-------------------------  
  
This vulnerability has been discovered  
by Juan Carlos García(@secnight)  
  
  
VII. LEGAL NOTICES  
-------------------------  
  
The Author accepts no responsibility for any damage  
caused by the use or misuse of this information.  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
14 Oct 2013 00:00Current
0.1Low risk
Vulners AI Score0.1
pagelimecmsxsscredential disclosurejquery__viewstateclear textpassword-guessing
47