Hotaru CMS 1.4.2 SITE_NAME Parameter Stored XSS Vulnerability

2011-11-13T00:00:00
ID ZSL-2011-5057
Type zeroscience
Reporter Gjoko Krstic
Modified 2011-11-13T00:00:00

Description

Title: Hotaru CMS 1.4.2 SITE_NAME Parameter Stored XSS Vulnerability
Advisory ID: ZSL-2011-5057
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 13.11.2011

Summary

Hotaru CMS is an open source, PHP platform for building your own websites. With flexible plugins and themes, you can make any site you like.

Description

The CMS suffers from multiple XSS vulnerabilities. Input thru the POST parameters 'SITE_NAME' (stored), 'return' (reflected) and the GET parameter 'search' (reflected) thru Hotaru.php, are not sanitized allowing the attacker to execute HTML code into user's browser session on the affected site.

Vendor

Hotaru CMS - <http://www.hotarucms.org>

Affected Version

1.4.2

Tested On

Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.21
MySQL 5.5.16
PHP 5.3.8

Vendor Status

N/A

PoC

hotarucms_xss.html

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <http://packetstormsecurity.org/files/106938>
[2] <http://securityreason.com/wlb_show/WLB-2011110045>
[3] <http://secunia.com/advisories/46842/>
[4] <http://www.securityfocus.com/bid/50657>
[5] <http://osvdb.org/show/osvdb/77095>
[6] <http://xforce.iss.net/xforce/xfdb/71300>
[7] <http://xforce.iss.net/xforce/xfdb/71301>
[8] <http://xforce.iss.net/xforce/xfdb/71302>
[9] <http://osvdb.org/show/osvdb/77680>
[10] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4709>
[11] <http://www.naked-security.com/nsa/201744.htm>

Changelog

[13.11.2011] - Initial release
[14.11.2011] - Added reference [1], [2] and [3]
[15.11.2011] - Added reference [4], [5], [6], [7] and [8]
[12.01.2012] - Added reference [9], [10] and [11]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            &lt;html&gt;&lt;head&gt;&lt;title&gt;403 Nothing to see.&lt;/title&gt;
&lt;link rel="Shortcut Icon" href="favicon.ico" type="image/x-icon"&gt;
&lt;style type="text/css"&gt;
&lt;!--
body {
	background-color: #000;
}
body,td,th {
	font-family: Verdana, Geneva, sans-serif;
}
a:link {
	color: #008FEF;
	text-decoration: none;
}
a:visited {
	color: #008FEF;
	text-decoration: none;
}
a:hover {
	text-decoration: underline;
	color: #666;
}
a:active {
	text-decoration: none;
}
--&gt;
&lt;/style&gt;
&lt;/head&gt;
&lt;body bgcolor=black&gt;
&lt;center&gt;
&lt;font color="#7E88A3" size="2"&gt;
&lt;br /&gt;&lt;br /&gt;
&lt;h1&gt;403 Nothing to see.&lt;/h1&gt;

You do not have the powah for this request /403.shtml&lt;br /&gt;&lt;br /&gt;
&lt;font size="2"&gt;&lt;a href="https://www.zeroscience.mk"&gt;https://www.zeroscience.mk&lt;/a&gt;&lt;/font&gt;
&lt;/font&gt;&lt;/center&gt;
&lt;/body&gt;&lt;/html&gt;