runcms-xss.txt

2010-07-08T00:00:00
ID PACKETSTORM:91605
Type packetstorm
Reporter Andrei Rimsa Alvares
Modified 2010-07-08T00:00:00

Description

                                        
                                            `Title: RunCMS XSS Vulnerability via User Agent  
Vendor: RunCMS  
Product: RunCMS  
Tested Version: 2.1  
Threat Class: XSS  
Severity: Medium  
Remote: yes  
Local: no  
Discovered By: Andrei Rimsa Alvares  
  
===== Description =====  
  
RunCMS is prone to a XSS vulnerability by mangling the user-agent field on a http request to a script within the forum module.  
  
----- modules/forum/check.php -----  
01: <?php  
...  
10: echo "BROWSER: ".$_SERVER['HTTP_USER_AGENT'];  
----- modules/forum/check.php -----  
  
===== Impact =====  
  
Malicious java script code can be executed in the context of the affected web site.  
  
===== Proof of Concept =====  
  
wget --user-agent="<script>window.alert('XSS');</script>" http://target/modules/forum/check.php  
  
===== Workaround =====  
  
Remove the affected file form the system: modules/forum/check.php.  
  
===== Disclosure Timeline =====  
  
June, 16 2010 - Vendor notification.  
June, 17 2010 - Vendor response confirming the bug.  
July, 07 2010 - Public disclosure.  
  
===== References =====  
  
http://www.runcms.org  
`