Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: CMS / Portals :: b06-4026.htm

ToendaCMS - Cross Site Scripting Issue



ToendaCMS - Cross Site Scripting Issue
ToendaCMS - Cross Site Scripting Issue



[MajorSecurity Advisory #27]ToendaCMS - Cross Site Scripting Issue=0D
=0D
Details=0D
========0D
Product: Toenda CMS=0D
Affected Version: <=1.0.3(stable) and 1.1=0D
Immune Version: None known=0D
Security-Risk: low=0D
Remote-Exploit: yes=0D
Vendor-URL: http://www.toenda.com/=0D 
Vendor-Status: informed=0D
Advisory-Status: published=0D
=0D
Credits=0D
=============0D
Discovered by: David Vieira-Kurz=0D
http://www.majorsecurity.de=0D 
=0D
Original Advisory:=0D
=============0D
http://www.majorsecurity.de/index_en2.php?major_rls=major_rls27=0D 
=0D
Introduction=0D
=============0D
"The toendaCMS Content Management and Weblogging tool gives you a modern,=0D
professional publishing system, based on an SQL and/or XML database.." (from Vendor's page)=0D
=0D
More Details=0D
=============0D
Input passed directly to the "?s" parameter in "/toendaCMS/" is not properly sanitised before being returned to the user.=0D
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.=0D
It works with a script code like this:=0D
=0D
>'>alert(123456789)%3B=0D
=0D
Fix=0D
====0D
None known.=0D
=0D
Solution=0D
==============0D
Edit the source code to ensure that input is properly sanitised.=0D
You should work with "htmlspecialchars()" or "htmlentities()" php-function to ensure that html tags=0D
are not going to be executed. Further it is recommend to set off the "register globals" option in the=0D
"php.ini" on your webserver.=0D
=0D
Example:=0D
=0D
=0D
Set "register_globals" to "Off".=0D
=0D
History/Timeline=0D
=================0D
19.07.2006  discovery of the vulnerability=0D
20.07.2006  additional tests with other versions=0D
21.07.2006  contacted Toenda Software Development(vendor) on their own BugTraq.=0D
01.08.2006  after 10 days I got still no response to my advise on their own BugTraq.=0D
02.08.2006  advisory is written=0D
03.08.2006  advisory released=0D
=0D
MajorSecurity=0D
========0D
MajorSecurity is a German penetration testing and hacking security project=0D
which consists of only one person at the present time.=0D
I am looking for a partnership.=0D
You can find more Information on the MajorSecurity Project at=0D
http://www.majorsecurity.de/ 


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH