by r0t,der4444,cembo,VietMafia

Wednesday, December 21, 2005

SCOOP! Multiple XSS vuln.

SCOOP! Multiple XSS vuln.

Vuln. discovered by : r0t
Date: 21 dec. 2005
vendor:http://scoop.cim.com.au/
affected version:2.3 and prior


Product Description:

SCOOP! is the innovative Australian web content management system that will change the way we see and manage the content of our web sites. The SCOOP! web content management system allows web site managers and owners to publish and manage web site content without any HTML or web scripting knowledge. SCOOP! employs browser based editing of web content and template management. Content managers rather than programmers or IT departments, can publish text and images through an intuitive browser based interface, from anywhere, anytime.

Vuln. Description:

SCOOP!contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "keywords" and "username" "area" "articleZoneID" "r" parameters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

+

attacker can chose wich parameters whe want to show/give to his target, using "category.asp" "articleZone.asp" "account_login.asp" "lostPassword.asp" "articleSearch.asp", because in those scripts paramters isnt filtred,see examples below:

examples:


/articleSearch.asp?keywords=[XSS]

/lostPassword.asp?username=[XSS]

/account_login.asp?Username=[XSS]

/account_login.asp?Password=[XSS]

/category.asp?area=[XSS]

/category.asp?area=support&articleZoneID=[XSS]

/category.asp?area=support&articleZoneID=132&r=[XSS]


You can change to any paremters you want where script use some parameters:)

/category.asp?pridels_Crew_XSS_r0t=[XSS]

/articleZone.asp?r0t_r0t_r0t_r0t_r0t=[XSS]

/account_login.asp?r0t_like_THIS=[XSS]

/lostPassword.asp?GIVE_TO_r0t_ADMIN_PWD=[XSS]

/articleSearch.asp?FIND_SCOOP!_BEST_CODERS=[XSS]

/prePurchaserRegistration.asp?isn't_lame_2_purchase?=[XSS]

/requestDemo.asp?_whata_*faq*?=[XSS]


Solution:
Edit the source code to ensure that input is properly sanitised.

0 Comments:

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew