In-Portal CMS Cross Site Scripting

2014-09-01T00:00:00
ID PACKETSTORM:128106
Type packetstorm
Reporter MustLive
Modified 2014-09-01T00:00:00

Description

                                        
                                            `Hello list!  
  
After I informed developers in August about multiple vulnerabilities in   
In-Portal CMS and they answered they would fix them soon (so wait for   
disclosure of the first vulnerabilities), I found new hole in this CMS at   
their official site.  
  
This is Cross-Site Scripting vulnerability in In-Portal CMS. Besides tens   
millions of vulnerable web sites with affected flash files and vulnerable   
multiple plugins for different engines, there are a lot of other vulnerable   
plugins and themes - even five years since my original advisory. This time   
it's a theme for In-Portal CMS.  
  
This XSS is similar to XSS vulnerability in WP-Cumulus, which I've disclosed   
in 2009 (http://securityvulns.com/Wdocument842.html). Because this theme   
uses tagcloud.swf made by author of WP-Cumulus. About such vulnerabilities I   
wrote in previous years, particularly about millions of flash files   
tagcloud.swf which are vulnerable to XSS attacks I mentioned in my article   
XSS vulnerabilities in 34 millions flash files   
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-January/006033.html).  
  
-------------------------  
Affected products:  
-------------------------  
  
Vulnerable are all versions of In-Portal CMS with this theme. There can be   
other vulnerable themes for this CMS.  
  
----------  
Details:  
----------  
  
Cross-Site Scripting (WASC-08):  
  
http://site/themes/theme_name/inc/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E  
  
XSS at official site of In-Portal CMS:  
  
http://www.in-portal.com/themes/theme_in-portal.com/inc/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E  
  
Code will execute after click. It's strictly social XSS   
(http://websecurity.com.ua/5476/). Also it's possible to conduct (like in   
WP-Cumulus) HTML Injection attack.  
  
I mentioned about this vulnerability at my site   
(http://websecurity.com.ua/7312/).  
  
Best wishes & regards,  
Eugene Dokukin aka MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua   
  
`