by r0t,der4444,cembo,VietMafia

Sunday, December 18, 2005

lemoon® XSS vuln

lemoon® XSS vuln

Vuln. discovered by : r0t
Date: 18 dec. 2005
affected version: 2.0 and prior

Product Description:

lemoon® is a fully packaged CM software solution that combines simplicity with versatility. It requires no third party licenses and thus offers a very competitive price. A free demo is available. Customers using lemoon� includes Sony Ericsson, Precise Biometrics, Q-MATIC, AudioDev, Pharmadule Emtunga and more.

Vuln. Description:

lemoon® contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Edit the source code to ensure that input is properly sanitised.


Anonymous Anonymous told...

lemoon is an off the shelf CMS system based on .NET framework. Sites are built on top of ASP.NET and you use lemoon core objects to easily manage and render content. The XSS vuln. you are referring to exists in one of our public sites built on lemoon i.e. a custom made site (as all sites are). The problem exists in a UserControl that handles form input and is in no way related to the lemoon core product. It would be like blaming MS Word for a spelling mistake in a document. I'm sure you are not in the business of reporting about a "security vulnerability" on a corporate website.

Please update/remove this security issue.

Best regards,

Måns Öhrström
CTO, Mindroute Software

11:42 PM


Post a Comment

<< Home

Copyright (c) 2006 Pridels Sec Crew