: Vulnerability ID: HTB22610
: Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_pluck.html
: Vulnerable Version: 4.6.3 and probably prior versions
: Vendor Notification: 15 September 2010
: Vulnerability Type: XSS (Cross Site Scripting)
: Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
: Risk level: Medium
: Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)
: Vulnerability Details:
: User can execute arbitrary JavaScript code within the vulnerable application.
:
: The vulnerability exists due to failure in the
: "data/modules/blog/pages_admin/newpost.php" script to properly sanitize
: user-supplied input in "cont1" variable. Successful exploitation of this
: vulnerability could result in a compromise of the application, theft of
: cookie-based authentication credentials, disclosure or modification of
: sensitive data.
First off, this requires administrator credentials to exploit. Second, a
Pluck administrator can already insert any content s/he desires by
creating/editing a page, so there is no gain from using this intended
functionality. For this attack to take place, it would really require
something like a CSRF.
Fortunately for attackers, it seems you guys missed the CSRF in this
application that HolisticInfoSec found:
: Vulnerability ID: HTB22610
: Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_pluck.html
: Vulnerable Version: 4.6.3 and probably prior versions
: Vendor Notification: 15 September 2010
: Vulnerability Type: XSS (Cross Site Scripting)
: Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
: Risk level: Medium
: Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)
: Vulnerability Details:
: User can execute arbitrary JavaScript code within the vulnerable application.
:
: The vulnerability exists due to failure in the
: "data/modules/blog/pages_admin/newpost.php" script to properly sanitize
: user-supplied input in "cont1" variable. Successful exploitation of this
: vulnerability could result in a compromise of the application, theft of
: cookie-based authentication credentials, disclosure or modification of
: sensitive data.
First off, this requires administrator credentials to exploit. Second, a
Pluck administrator can already insert any content s/he desires by
creating/editing a page, so there is no gain from using this intended
functionality. For this attack to take place, it would really require
something like a CSRF.
Fortunately for attackers, it seems you guys missed the CSRF in this
application that HolisticInfoSec found:
http://holisticinfosec.org/content/view/154/45/
Keep up the solid research guys.
- security curmudgeon
[ reply ]