iManager Plugin v1.2.8 (dir) Remote Cross-Site Scripting Vulnerability

2011-09-17T00:00:00
ID ZSL-2011-5045
Type zeroscience
Reporter Gjoko Krstic
Modified 2011-09-17T00:00:00

Description

Title: iManager Plugin v1.2.8 (dir) Remote Cross-Site Scripting Vulnerability
Advisory ID: ZSL-2011-5045
Type: Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 17.09.2011

Summary

With iManager you can manage your files/images on your webserver, and it provides user interface to most of the phpThumb() functions. It works either stand-alone or as a plugin to WYSIWYG editors like tinyMCE, SPAW, htmlAREA, Xinha and FCKeditor.

Description

iManager suffers from a XSS vulnerability when parsing user input to the 'dir' parameter via GET method in 'random.php' and 'phpThumb.demo.random.php'. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.

Vendor

net4visions.com - <http://www.net4visions.com>

Affected Version

<= 1.2.8 Build 02012008

Tested On

Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41

Vendor Status

N/A

PoC

imanager_xss.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <http://packetstormsecurity.org/files/105199>
[2] <http://secunia.com/advisories/46063/>
[3] <http://www.securelist.com/en/advisories/46063>
[4] <http://www.net-security.org/secworld.php?id=11649>
[5] <http://www.securityfocus.com/bid/49675>
[6] <http://securityreason.com/wlb_show/WLB-2011090092>
[7] <http://xforce.iss.net/xforce/xfdb/69920>
[8] <http://osvdb.org/show/osvdb/75601>
[9] <http://osvdb.org/show/osvdb/75603>

Changelog

[17.09.2011] - Initial release
[18.09.2011] - Added reference [1]
[19.09.2011] - Added reference [2]
[20.09.2011] - Added reference [3], [4], [5] and [6]
[22.09.2011] - Added reference [7], [8] and [9]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            
iManager Plugin v1.2.8 (dir) Remote Cross-Site Scripting Vulnerability


Vendor: net4visions.com
Product web page: http://www.net4visions.com
Affected version: &lt;= 1.2.8 Build 02012008

Summary: With iManager you can manage your files/images on your webserver,
and it provides user interface to most of the phpThumb() functions. It works
either stand-alone or as a plugin to WYSIWYG editors like tinyMCE, SPAW,
htmlAREA, Xinha and FCKeditor.

Desc: iManager suffers from a XSS vulnerability when parsing user
input to the 'dir' parameter via GET method in 'random.php' and
'phpThumb.demo.random.php'. Attackers can exploit this weakness to
execute arbitrary HTML and script code in a user's browser session.


Tested on: Microsoft Windows XP Professional SP3 (EN)
           Apache 2.2.14 (Win32)
           PHP 5.3.1
           MySQL 5.1.41


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            liquidworm gmail com


Advisory ID: ZSL-2011-5045
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5045.php


15.09.2011

--

http://SOME_CMS/jscripts/tiny_mce/plugins/imanager/scripts/random.php?dir=&lt;script&gt;alert('zsl')&lt;/script&gt;
http://SOME_CMS/jscripts/tiny_mce/plugins/imanager/scripts/phpThumb/demo/phpThumb.demo.random.php?dir=&lt;script&gt;alert('zsl')&lt;/script&gt;