Lucene search

K
zeroscienceGjoko KrsticZSL-2010-4964
HistorySep 17, 2010 - 12:00 a.m.

Netautor Professional 5.5.0 (goback) XSS Vulnerability

2010-09-1700:00:00
Gjoko Krstic
zeroscience.mk
116

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

AI Score

6

Confidence

High

EPSS

0.033

Percentile

91.5%

Title: Netautor Professional 5.5.0 (goback) XSS Vulnerability
Advisory ID: ZSL-2010-4964
Type: Remote
Impact: Cross-Site Scripting
Risk: (2/5)
Release Date: 17.09.2010

Summary

Netautor Professional is an application server and development environment. Netautor Professional was developed to serve the practical needs of users, and was continuously advanced.
--
Digital Workroom is a well proven and time-tested Content Management System. Its based on also digiconcepts developed Application Server “Netautor Professional” and PHP 5. The standard functional range covers the majoritarian needs on Internet- and Intranet environments for publication and communication.

Description

Netautor Professional v5.5.0 suffers from a XSS vulnerability because input passed via the “goback” parameter to login2.php script is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

--------------------------------------------------------------------------------

` [FILE] :: [LINE#] :: [STRING]

\ROOT\digitalworkroom\exports\DW_5.3\mlayouts_262527331.xml :: 532 :: unset($GLOBALS[‘goback’]);
\ROOT\digitalworkroom\exports\DW_5.3\mlayouts_262527331.xml :: 536 :: if(!empty($GLOBALS[‘goback’])) $values[‘USER_TARGET’][0] = $GLOBALS[‘goback’];
\ROOT\digitalworkroom\exports\DW_5.3\mlayouts_262527331.xml :: 575 :: /* Auf GLOBALS[‘goback’] von NPF_SECURE reagieren*/
\ROOT\digitalworkroom\exports\DW_5.3\mlayouts_262527331.xml :: 661 :: <?php if (empty( $GLOBALS[‘goback’])): ?>
\ROOT\netautor\napro4\home\login2.msk :: 49 :: <input type=“hidden” name=“goback” value=“<?php echo($goback); ?>” >
\ROOT\netautor\napro4\home\login2.php :: 38 :: if(empty($goback)) $goback = $USER->get_feature_value(‘initial_doc’);
\ROOT\netautor\napro4\include\functions\users.fnc :: 822 :: if (!strpos($url,‘&goback=’)) $url.=‘&goback=’.rawurlencode($PHP_SELF);
\ROOT\netautor\napro4\include\npf_lib\npf_special.fnc :: 155 :: $redirect.=( strpos($redirect,‘?’) ? ‘&’ : ‘?’ ).‘goback=’.rawurlencode( $REQUEST_URI );
`
--------------------------------------------------------------------------------

Vendor

/digiconcept/ - http://www.digiconcept.net

Affected Version

Netautor Professional 5.5.0
Digital Workroom 5.3.1

Tested On

Microsoft Windows XP Professional SP3 (EN)
PHP 5.3.0
MySQL 5.1.36
Apache 2.2.11 (Win32)

Vendor Status

[14.09.2010] Vulnerability discovered.
[15.09.2010] Contact with the vendor.
[17.09.2010] No reply from vendor.
[17.09.2010] Public advisory released.

PoC

napro_xss.txt

Credits

Vulnerability discovered by Gjoko Krstic - <[email protected]>

References

[1] http://www.packetstormsecurity.org/filedesc/ZSL-2010-4964.txt.html
[2] http://securityreason.com/wlb_show/WLB-2010090084
[3] http://www.securityfocus.com/bid/43290
[4] http://secunia.com/advisories/41475
[5] http://osvdb.org/show/osvdb/68128
[6] https://vulners.com/cve/CVE-2010-3489

Changelog

[17.09.2010] - Initial release
[18.09.2010] - Added reference [2] and [3]
[21.09.2010] - Added reference [4]
[22.09.2010] - Added reference [5]
[28.09.2010] - Added reference [6]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: [email protected]

<html><body><p>Netautor Professional 5.5.0 (goback) XSS Vulnerability


Vendor: /digiconcept/
Product web page: http://www.digiconcept.net
Affected version: 5.5.0 and DW 5.3.1


Summary: Netautor Professional is an application server and
development environment. Netautor Professional was developed
to serve the practical needs of users, and was continuously
advanced.
--
Digital Workroom is a well proven and time-tested Content Management
System. It`s based on also digiconcept`s developed Application Server
"Netautor Professional" and PHP 5. The standard functional range covers
the majoritarian needs on Internet- and Intranet environments for publication
and communication.


Desc: Netautor Professional v5.5.0 suffers from a XSS vulnerability because
input passed via the "goback" parameter to login2.php script is not properly
sanitised before being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context of an
affected site.


----------------------------- [FILE] :: [LINE#] :: [STRING] -----------------------------

\ROOT\digitalworkroom\exports\DW_5.3\mlayouts_262527331.xml :: 532 :: unset($GLOBALS['goback']);
\ROOT\digitalworkroom\exports\DW_5.3\mlayouts_262527331.xml :: 536 :: if(!empty($GLOBALS['goback'])) $values['USER_TARGET'][0] = $GLOBALS['goback'];
\ROOT\digitalworkroom\exports\DW_5.3\mlayouts_262527331.xml :: 575 :: /* Auf GLOBALS['goback'] von NPF_SECURE reagieren*/
\ROOT\digitalworkroom\exports\DW_5.3\mlayouts_262527331.xml :: 661 :: &lt;?php if (empty( $GLOBALS['goback'])): ?&gt;
\ROOT\netautor\napro4\home\login2.msk :: 49 :: <input name="goback" type="hidden" value="&lt;?php echo($goback); ?&gt;"/>
\ROOT\netautor\napro4\home\login2.php :: 38 :: if(empty($goback)) $goback = $USER-&gt;get_feature_value('initial_doc');
\ROOT\netautor\napro4\include\functions\users.fnc :: 822 :: if (!strpos($url,'&amp;goback=')) $url.='&amp;goback='.rawurlencode($PHP_SELF);
\ROOT\netautor\napro4\include\npf_lib\npf_special.fnc :: 155 :: $redirect.=( strpos($redirect,'?') ? '&amp;' : '?' ).'goback='.rawurlencode( $REQUEST_URI );

-----------------------------------------------------------------------------------------


Tested on: MS WinXP Pro SP3 (EN)
           PHP 5.3.0
           MySQL 5.1.36
           Apache 2.2.11 (Win32)


Vendor status: [14.09.2010] Vulnerability discovered.
               [15.09.2010] Contact with the vendor.
               [17.09.2010] No reply from vendor.
               [17.09.2010] Public advisory released.


Vulnerability discovered by: Gjoko 'LiquidWorm' Krstic
                             liquidworm gmail com
                             Zero Science Lab - http://www.zeroscience.mk


Advisory ID: ZSL-2010-4964
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4964.php


PoC:

 http://10.0.0.17/netautor/napro4/home/login2.php?goback=%22%3Cscript%3Ealert%28document.location%29%3C/script%3E
</p></body></html>

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

AI Score

6

Confidence

High

EPSS

0.033

Percentile

91.5%