by r0t,der4444,cembo,VietMafia

Wednesday, December 21, 2005

papaya CMS XSS vuln.

papaya CMS XSS vuln.

Vuln. discovered by : r0t
Date: 21 dec. 2005
affected version: 4.0.4 and prior

Product Description:

papaya CMS content management system and framework was designed for individual, mid-sized and enterprise wide deployments. The papaya CMS meets large-scaled project requirements and offers extremely short implementation times. Since 2001, papaya CMS has been deployed at high profile customers such as AGOF (members include: AOL, GMX, Bauer, Gruner & Jahr,, Yahoo Inc., Lycos Inc. etc.), DHL and the Handelsblatt publishing group. papaya is based on proven OpenSource technologies as PHP, XSLT/XML and supports RDBS (e.g. MySQL and PostgreSQL). papaya is OpenSource software (under GPL-license) since 2005. papaya Software GmbH delivers website creation and custom application development. More information: PLEASE NOTE: The website is only available in german until mid of June, 2005. The GUI and the documentation is already available in english. In the meantime, feel free to check for a short description or to contact the maintainer of this project for further information.

Vuln. Description:

papaya CMS contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "bab[searchfor]" paremter isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.



Edit the source code to ensure that input is properly sanitised.


Anonymous Anonymous told...


if you find exploits/bugs, it would be really nice if you would inform the projects...

Thanks a lot & best regards,
papaya Team

4:23 PM


Post a Comment

<< Home

Copyright (c) 2006 Pridels Sec Crew