seagull-063-xss.txt

2008-01-24T00:00:00
ID PACKETSTORM:62942
Type packetstorm
Reporter fuzion
Modified 2008-01-24T00:00:00

Description

                                        
                                            ` __fuzion___ ____   
______/ \__// \__/____\   
_/ \_/ : //____\\   
/| : : .. / \   
| | :: :: \ /   
| | :| || \ \______/   
| | || || |\ / |   
\| || || | / | \   
| || || | / /_\ \   
| ___ || ___ || | / / \   
\_-_/ \_-_/ | ____ |/__/ \  
_\_--_/ \ /  
/____ /   
/ \ /   
\______\_________/   
  
  
Product:  
Seagull STABLE 0.6.3  
http://seagullproject.org/  
  
Vulnerable:  
Seems that none of the theme css renderers sanatize variables against cross site scripting.  
Register Globals = ON  
  
Multiple Cross Site Scripting problems:  
http://[site]/themes/default1/css/blockStyle.php?secondary=[xss]  
  
Also vulnerable:  
themes/default1/css/core.php  
themes/default1/css/event.php  
themes/default1/css/media.php  
themes/default1/css/publisher.php  
themes/default1/css/SglDefault_TwoLevel.nav.php  
themes/default1/css/SglListamaticSubtle.nav.php  
themes/default_admin/css/adminMenu_vertical.nav.php  
themes/default_admin/css/block.php  
themes/default_admin/css/blockStyle.php  
themes/default_admin/css/cms.php  
themes/default_admin/css/comment.php  
themes/default_admin/css/core.php  
themes/default_admin/css/navigation.php  
themes/default_admin/css/publisher.php  
themes/default_admin/css/user.php  
  
Some common vulnerable variables:  
secondary  
fontFamilyAlt  
primaryLight  
greyLightest  
leftColWidth  
grey  
primaryDark  
primary  
baseUrl  
  
Several of these cause path disclosure as well:  
http://[site]/themes/default_admin/css/core.php  
PoC:  
http://demo.seagullproject.org/themes/default_admin/css/core.php  
  
Other vulnerabilties may be available if Seagull was not properly installed:  
http://[site]/[path]/etc/mysql5_field_test.php?res=[xss]  
http://[site]/[path]/modules/event/www/css/event.php?baseUrl=[xss]  
http://[site]/[path]/modules/media/www/css/media.php?greyDark=[xss]  
`