by r0t,der4444,cembo,VietMafia

Saturday, December 17, 2005

Hot Banana XSS vuln.

Hot Banana XSS vuln.

Vuln. discovered by : r0t
Date: 17 dec. 2005
vendor:www.hotbanana.com/products/web-content-management-suite/
affected version: 5.3 and prior

Description:

Founded in 1999, Hot Banana powers Web sites for more than 180 companies worldwide. Designed for non-technical users, Hot Banana is a full-fledged Web Content Management Suite that manages the content creation and delivery process of a Web site. The Hot Banana Active Marketing Web Content Management Suite consists of the end-to-end integration of Web Content Management, Internet marketing, search engine optimization - SEO, and WebTrends 7.5 Web analytics. Hot Banana is an ideal Web site solution for online branding, corporate communications, lead generation & conversion campaigns, customer retention, PR, and event marketing programs. Hot Banana is available as Hot Banana On-Demand (Software-as-a-Service (SaaS)), or as Hot Banana Licensed. Clients include; Algoma Steel, Bell Industries, Parents Action for Children, Ansell Healthcare Europe, World Vision, Beaver Vending, Los Alamos School Board (New Mexico), Law Society of Upper Canada, Expertech, and The County of Simcoe. Hot Banana Software Inc. is profitable and privately held. www.hotbanana.com


Vuln. Description:

Hot Banana contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "keywords" paremter in "index.cfm" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

example:

/search/index.cfm?keywords=[XSS]&x=25&y=9

Solution:
Edit the source code to ensure that input is properly sanitised.

5 Comments:

Anonymous Chris Adams - CTO told...

Thank you for reporting this low-level security issue on Secunia today. We take security very seriously.

The problem has been addressed and a patch is now available to all Hot Banana users. The global fix will be addressed in our upcoming 5.3.4 – pre-release to our 5.4 winter 2006 release. All new Web sites have the code in place.

Hot Banana uses the highest standards of programming structure and the highest security levels to prevent any abuse or infractions.

We use programming best practices, and ColdFusion MX 7 Application Server code, to protect all our client Web sites from possible hacker attacks.

If you have any questions, please contact me directly at chris@hotbanana.com.

I will continue to monitor XSS in the future.

Note: Search keywords have never been displayed in the body of the Web page where most XSS attacks occur, but in a search text box.

11:18 PM

 
Anonymous Topper told...

Search engine optimization, submission and highly-targeted traffic can be found exclusively at www.TheOnlinePromoters.com

11:13 PM

 
Anonymous joel told...

Many internet marketeers blow mountains of start-up cash on their websites just trying to break into search engine rankins. I was one of these internet marketeers.
Link to this site: seo service
http://seo-faq.info/

8:15 PM

 
Anonymous Money told...

Hello,

Be a nice webmaster and send me some more info! P.S. Your site�s great. Thanks a lot. :o)

Thanks,
make money fast online

10:00 PM

 
Blogger britney told...

the good thing about your blog is, its natural. Appreciate your views and added my comment on it. keep it moving and have a great blog. cheers !!!! quick payday

1:56 AM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew