SocialCMS 1.0.2 Cross Site Scripting

2012.04.01

Credit: Ivano Binetti

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2012-1982

CWE: CWE-79

Ogólna skala CVSS: 3.5/10

Znaczenie: 2.9/10

Łatwość wykorzystania: 6.8/10

Wymagany dostęp: Zdalny

Złożoność ataku: Średnia

Autoryzacja: Jednorazowa

Wpływ na poufność: Brak

Wpływ na integralność: Częściowy

Wpływ na dostępność: Brak

+------------------------------------------------------------------------------------------------------------------------------------+
# Exploit Title : SocialCMS <= 1.0.2 XSS (Persistent and Reflected) Vulnerabilities
# Date : 30-03-2012
# Author : Ivano Binetti (http://www.ivanobinetti.com)
# Vendor site : http://socialcms.com
# Software link : http://sourceforge.net/projects/socialcms/files/latest/download
# Version : 1.0.2 (and lower)
# Tested on : Debian Squeeze (6.0)
# CVE : CVE-2012-1982
# Original Advisory : http://www.webapp-security.com/2012/03/socialcms/
+------------------------------------------------------------------------------------------------------------------------------------+
Summary-
1)Introduction
2)Vulnerability Description
2.1 Persistent XSS
2.2 Reflected XSS
3)Exploit
+------------------------------------------------------------------------------------------------------------------------------------+
1)Introduction
SocialCMS "is online software for developing dynamic websites.It allows non-technical users to create and make changes to a
website easily. It can be used for setting up Company Website, Blog, Video site, Amazon shop, Membership Site, Adsense Site,
Affiliate Review site, Twitter CMS or for Domain Monetization etc.".
2)Vulnerability Description
2.1 Persistent XSS
SocialCMS 1.0.2 (and lower) is prone to a persistent XSS vulnerability due to an improper input sanitization of
"TR_title" parameter, passed to "my_admin/admin1_list_pages.php" via http POST method.
Exploiting this vulnerability an authenticated user - which is able to publish an article - could insert arbitrary
code in web management interface "Title" field - under "my_admin/admin1_list_pages.php?id=<page_id>&action=edit" - that will be
executed when an administrator - or another user - will browse that web page.
2.2 Reflected XSS
The Improper input sanitization of "TR_title" parameter causes also a Reflected XSS for the user which inserts html/javascript
code.
3)Exploit
Insert the following code in "Title" field when you're creating a new page:
"><script>alert(document.cookie)</script>
+-----------------------------------------------------------------------------------------------------------------------------------+

Referencje:

http://sourceforge.net/projects/socialcms/files/latest/download

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

SocialCMS 1.0.2 Cross Site Scripting

Referencje:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.