Seo Planet Cookie-Rendered Persistent XSS Vulnerability

2011.01.25
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

'Seo Panel' Cookie-Rendered Persistent XSS Vulnerability (CVE-2010-4331) Mark Stanislav - mark.stanislav (at) gmail (dot) com [email concealed] I. DESCRIPTION --------------------------------------- A vulnerability exists in 'Seo Panel' page rendering which allows for unfiltered, unencrypted content to be presented to a user through two different cookies. II. TESTED VERSION --------------------------------------- 2.2.0 III. PoC EXPLOIT --------------------------------------- Alter the value of cookies called 'default_news' or 'sponsors' and then view a site page which includes controllers/index.ctrl.php or controllers/settings.ctrl.php that will render the cookies as they exist on the user's machine. IV. NOTES --------------------------------------- * The 'default_news' cookie doesn't require a user to be authenticated whereas 'sponsors' does * The disclosure date was pushed a full month so that a fix could be released but no update was released yet * Based on discussions with the developer, they will likely encrypt the cookie contents to prevent this issue V. SOLUTION --------------------------------------- Upgrade to a release > 2.2.0 when available or otherwise disable cookie rendering. VI. REFERENCES --------------------------------------- http://www.seopanel.in/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4331 http://www.uncompiled.com/2011/01/seo-panel-cookie-rendered-persistent-x ss-vulnerability-cve-2010-4331/ VII. TIMELINE --------------------------------------- 11/24/2010 - Initial vendor disclosure 11/25/2010 - Vendor response and commitment to fix 11/25/2010 - Reply to vendor detailing potential fixes and an adjusted public disclosure date 11/25/2010 - Vendor response confirming desired public disclosure date and agreement to patch method 01/15/2011 - Public disclosure

References:

http://xforce.iss.net/xforce/xfdb/64725
http://www.uncompiled.com/2011/01/seo-panel-cookie-rendered-persistent-xss-vulnerability-cve-2010-4331/
http://www.securityfocus.com/bid/45828
http://www.securityfocus.com/archive/1/archive/1/515768/100/0/threaded
http://www.exploit-db.com/exploits/16000


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top