: Vulnerability ID: HTB22610 : Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_pluck.html : Vulnerable Version: 4.6.3 and probably prior versions : Vendor Notification: 15 September 2010 : Vulnerability Type: XSS (Cross Site Scripting) : Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response : Risk level: Medium : Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/) : Vulnerability Details: : User can execute arbitrary JavaScript code within the vulnerable application. : : The vulnerability exists due to failure in the : "data/modules/blog/pages_admin/newpost.php" script to properly sanitize : user-supplied input in "cont1" variable. Successful exploitation of this : vulnerability could result in a compromise of the application, theft of : cookie-based authentication credentials, disclosure or modification of : sensitive data. First off, this requires administrator credentials to exploit. Second, a Pluck administrator can already insert any content s/he desires by creating/editing a page, so there is no gain from using this intended functionality. For this attack to take place, it would really require something like a CSRF. Fortunately for attackers, it seems you guys missed the CSRF in this application that HolisticInfoSec found: http://holisticinfosec.org/content/view/154/45/ Keep up the solid research guys. - security curmudgeon
