Ektron CMS 8.7 Cross Site Scripting

2014.04.17
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 3.5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 6.8/10
Exploit range: Remote
Attack complexity: Medium
Authentication: Single time
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stored Cross Site Scripting in Ektron CMS 8.7 CVE reference: CVE-2014-2729 Affected platforms: Ektron Web Content Management System Version: 8.7.0 Date: 2013-December-19 Security risk: Medium (CVSS - AV:N/AC:L/Au:S/C:P/I:P/A:N) Researcher: Joseph Zeng Xianbo Vendor Status: Issue reported to be patched in Ektron CMS 8.7.0.055 SP2 Patch Update: 8.7.0.055.2.015). ===================================================================== Description: During an internal penetration test exercise for a client, a stored Cross Site Scripting vulnerability was discovered in the HTTP parameter category0 of the affected webpage. The application stored the payload and executed the payload when the page was loaded. This vulnerability has been assigned CVE-2014-2729. ===================================================================== Steps to demonstrate issue: 1. Login to the CMS Workarea 2. Click on the Content tab 3. On the Folders subpanel, right click on an existing folder. Click the 'Add Discussion Board' button 4. On the Properties tab, complete all mandatory fields 5. Click on the Templates tab and select a template on the Templates page 6. Click on the Subjects tab 7. Click the 'Add Subject' button 8. Fill in the Subject field with the text 'testing text' 9. Click the 'Add Discussion Board' button 10. Use a proxy tool such as Burp Suite Professional. Allow the HTTP GET request to AJAXbase.aspx to be sent unmodified to the server. 11. Intercept the HTTP POST request to content.aspx with Burp proxy tool 12. Modify the value of the HTTP parameter 'category0' to 'testing+text<iframe src="http://example.com"></iframe>' 13. Send the modified HTTP POST request 14. On the Folder subpanel, right click on the newly created discussion board 15. Click View Properties from the menu which appears 16. Click on the Subjects tab 17. You should observe that the malicious JavaScript code is successfully executed Note that repeating steps 7 to 8 and repeating the step 12 for the corresponding parameters (e.g. 'category1', 'category2') ===================================================================== Possible Impact Malicious authenticated users could inject specially crafted JavaScript code into multiple input fields of the affected form (Add Discussion Board) which gets stored. When an administrative user subsequently retrieves and views the records from the administrative interface, the injected malicious JavaScript code will be executed in his/her web browsers. ===================================================================== Credits This vulnerability was discovered by Joseph Zeng Xianbo ===================================================================== History (GMT +8) 14 Aug 2013 - Vulnerability discovered and reported to client. Client reports it to System Integrator and Ektron. 6 Dec 2013 - Test on Ektron CMS 8.70 SP 2 shows vulnerability is still present 10 Mar 2014 - Test on patched Ektron CMS shows vulnerability has been resolved 26 Mar 2014 - Secunia informed of vulnerability 3 Apr 2014 - Secunia declines to issue advisory as Ektron CMS version 9 supersedes patched version. Case referred to MITRE. 5 Apr 2014 - CVE identifier assigned for this vulnerability 7 Apr 2014 - Ektron contacted for patch details 8 Apr 2014 - Ektron asks System Integrator for patch details 10 Apr 2014 - System Integrator gives notification of patch details 16 Apr 2014 - Advisory Released. =====================================================================


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top