CMS Contenido 4.9.5 Cross Site Scripting

2014-12-24T00:00:00
ID PACKETSTORM:129713
Type packetstorm
Reporter Steffen Roesemann
Modified 2014-12-24T00:00:00

Description

                                        
                                            `Advisory: Reflecting XSS Vulnerability in CMS Contenido 4.9.x-4.9.5  
Advisory ID: SROEADV-2014-03  
Author: Steffen Rösemann  
Affected Software: CMS Contenido 4.9.x-4.9.5 (Release: 10th Dec 2014)  
Vendor URL: http://www.contenido.org/de/  
Vendor Status: fixed  
CVE-ID: -  
  
==========================  
Vulnerability Description:  
==========================  
  
The Content Management System Contenido 4.9.x to 4.9.5 has a reflecting XSS  
vulnerability in its error-handler function which displays parameters on  
the webpage when unexpected values are being transmitted by the client.  
This vulnerability occurs when feature advanced mod rewrite (AMR) is  
disabled, which rewrites urls for SEO purposes.  
  
==================  
Technical Details:  
==================  
  
If unexpected values are being transmitted via the parameters „idart“,  
„lang“ and/or „idcat“ to the PHP-Script  
  
http://{IP/HOSTNAME}/cms/front_content.php  
  
an error will be thrown which displays the passed value to the user on the  
webpage without sanitizing it.  
  
Payload-Examples:  
  
http://  
{IP/HOSTNAME}/cms/front_content.php?idcat=41&lang=1<script>alert("XSS")</script>  
  
http://{IP/HOSTNAME}/cms/front_content.php?idcat=41<iframe  
src="some_remote_src" height="200" width="200" ></iframe>  
&lang=1  
  
http://  
{IP/HOSTNAME}/cms/front_content.php?idart=32<script>alert(document.cookie)</script>  
  
=========  
Solution:  
=========  
  
Update to the latest version  
  
====================  
Disclosure Timeline:  
====================  
  
17-Dec-2014 – found the vulnerability  
17-Dec-2014 - informed the developers  
18-Dec-2014 - response by vendor  
19-Dec-2014 – fix by vendor  
24-Dec-2014 - release date of this security advisory  
24-Dec-2014 - post on FullDisclosure  
  
========  
Credits:  
========  
  
Vulnerability found and advisory written by Steffen Rösemann.  
  
===========  
References:  
===========  
  
http://www.contenido.org/de/  
http://sroesemann.blogspot.de  
  
  
`