[MajorSecurity Advisory #35]Travelsized CMS - Multiple Cross Site Scripting Issues Details ======= Product: Travelsized CMS Affected Version: <= 0.4.1 Security-Risk: moderated Remote-Exploit: yes Vendor-URL: http://leinir.dk/travelsized/ Vendor-Status: informed Advisory-Status: published Credits ============ Discovered by: David Vieira-Kurz http://www.majorsecurity.de Original Advisory: ============ http://www.majorsecurity.de/index_2.php?major_rls=major_rls35 Introduction ============ Travelsized CMS is a content management system made only using PHP. More Details ============ Cross Site Scripting: Input passed directly to the "page", "page_id" and "language" parameter in "index.php" is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Fix === None known Solution ============= Edit the source code to ensure that input is properly sanitised. You should work with "htmlspecialchars()" or "htmlentities()" php-function to ensure that html tags are not going to be executed. Further it is recommend to set off the "register globals" option in the "php.ini" on your webserver. Example: $pass = htmlentities($_POST['pass']); $test = htmlspecialchars($_GET('test')); ?> History/Timeline ================ 09.11.2006 discovery of the vulnerabilities 10.11.2006 additional tests with other versions 11.11.2006 contacted the vendor 18.11.2006 advisory is written 18.11.2006 advisory released MajorSecurity ======= MajorSecurity is a German penetration testing and security research project which consists of only one person at the present time. You can find more Information on the MajorSecurity Project at http://www.majorsecurity.de/