Mitridat Form Processor Pro XSS

2007.08.06
Credit: Charles Kim
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2007-4144
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Greetings, I have discovered cross-site scripting vulnerability in Mitridat's Form Processor Pro. http://www.mitridat.com/ http://www.mitridat.com/products-form-processor-pro.html Form Mail: Email Form Processor Pro? - process all forms on your website Form Mail: Email Form Processor Pro is the most powerful script to process forms on your website. The script is available in PHP, Perl and ASP versions. No programming knowledge needed to install this script and configure your forms to work with it. One script can handle unlimited amount of any sophisticated forms. You have full layout and design control. The script is featured with: * auto responder; * "preview" and "thank you" pages; * supports attachments, calculations, "if" condition, variable field validations, html emails; * supports multiple pages forms, database data storing and much more features! Operating system and software installed. -Apache 1.3.37 -Form Mail: eMail Form Processor Pro (c) 2000-2003 MitriDAT -The date stamp for this product is year 2000-2003. -Mitridat's customer demo on their website has the same date stamp. How the vulnerability can be reproduced -A HTTP POST to the following parameters with either an IFRAME or SCRIPT tag. base_path= What impact the vulnerability has on the vulnerable system? By enticing a user to click on a crafted url, an attacker can execute arbitrary script code on the victim's browser. Any additional details that might help in the verification process. This initial discovery was on a customer running Mitridat's Form Processor Pro. I was then able to verify the parameter by looking up Mitridat's website and verifying the xss from their public demo. Mitridat has demo's of the Form Processor Pro for public view. http://www.mitridat.com/products-form-processor-pro.html http://www.email-form.com/online-demo.html Here are tested POSTs I've done on Mitridat's public internet demo's. URL http://www.email-form.com/sample-forms/simple-contact-form-with-preview/ simple-contact-form-with-preview.html POST base_path=<iframe src=/>&r_Name=&Company-Name=&re_eMail=&Web-Site-URL=http%3A%2F%2F&r_Coun try=&Phone=&Fax=&r_Subject=&r_Message=&ok2.x=39&ok2.y=13 POST base_path=<script>alert(1111)</script>&r_Name=&Company-Name=&re_eMail=&W eb-Site-URL=http%3A%2F%2F&r_Country=&Phone=&Fax=&r_Subject=&r_Message=&o k2.x=17&ok2.y=6 Charles H Kim


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top