Content Management Framework "G3" - XSS Vulnerability in Search Function INTRO According to the manufacturer, "G3" is a classic content-management-system, allowing customers to manage their own websites without knowing much about webpublishing. Information about the product is available at: http://www.inm.ch/g3.cms/s_page/56770 DESCRIPTION Stefan Friedli discovered a XSS Vulnerabilty in the search module used by many websites powered by G3. By using the chars "<" ">" and quotes, the form can be used to include script code. As there seems to be no determination between parameters being passed by GET or POST, it's possible to pass manipulated content to other users using a simple link passing the parameter search_string. EXPLOIT Classic browser-based script injection techniques are sufficient to exploit this vulnerability. POSSIBLE IMPACT As most XSS vulnerabilities, the impact of this flaw depends on the page being attacked. In this case, a "trusted" site may be used to exploit vulnerabilities in older browsers or compromise accounts on sites using authentication. For several customers of INM, this flaw could cause some additional trouble because of possible phising attacks using this vulnerability to trick customers. SOLUTION The vulnerabilty has not been addressed yet. A patch implementing basic input validation would solve the problem. VENDOR RESPONSE INM has been informed about this vulnerability on 2006-07-06. A reminder was sent 14 days after. There has been no reaction on any message according this issue. TIMELINE 2006-07-05 - Discovery 2006-07-06 - INM has been informed about the flaw 2006-07-20 - Reminder has been sent 2006-08-02 - Public advisory has been published CREDITS This vulnerabilty was discovered by Stefan Friedli. It may be redistributed as-is.
