Editor's note: 4 Advisories are grouped together here. ======================================================================= *Community Server - Stored Cross-site Scripting in user's signature. * - Product description: Community Server is a communities and collaboration web application developed by Telligent. It uses ASP.NET platform (C#) and Microsoft SQL Server database. From it's 5.0 version, the software was renamed to Telligent Community. - Vulnerability Details: It is possible to insert scripts (Cross-site Scripting) in user's signature, using BBCode Tag's processing errors. - Proof of Concept: Set an user's signature to: [img]invalid.jpg[url= onerror=alert(1) z=] a[/url][/img] An alert will be show in every topic the user posts in and also in its profile. - Affected Versions: Community Server 2007 (may affect others) - Unaffected Versions: Telligent Community 5.x or earlier - Timeline: [05/25/10] Vulnerability details sent to address for security related contacts present at company's website, although the address did not exist. [05/26/10] Ticket opened asking for contact to send off vulnerability details. [05/26/10] Ticket's answer received, containing e-mail for the sending of vulnerability details. [05/26/10]Vulnerability details sent. [05/26/10] Answer received informing that vulnerability did not exist on latest versions of the product. [07/15/11] Advisory published. - Credits: PontoSec - Segurança da Informação < http://www.pontosec.com > - Researcher: Gabriel Lima (gabriel pontosec.com) ======================================================================= Community Server - Reflected Cross-Site Scripting - TagSelector.aspx - Product description: Community Server is a communities and collaboration web application developed by Telligent. It uses ASP.NET platform (C#) and Microsoft SQL Server database. From it's 5.0 version, the software was renamed to Telligent Community. - Vulnerability Details: It is possible to insert scripts at the page (Cross-site Scripting) through the TagEditor parameter (GET) from /utility/TagSelector.aspx. - Proof of Concept: When accessing the TagSelector.aspx file, setting the TagEditor value as “ ‘);%0Aalert(1); ”, an alert box containing a number 1 appears, confirming the vulnerability. Example: http://site.example/utility/TagSelector.aspx?TagEditor=’);%0Aalert(1); - Affected Versions: Community Server 2007 Community Server 2008 (may affect others) - Unaffected Versions: Telligent Community 5.x or earlier - Timeline: [05/25/10] Vulnerability details sent to address for security related contacts present at company's website, although the address did not exist. [05/26/10] Ticket opened asking for contact to send off vulnerability details. [05/26/10] Ticket's answer received, containing e-mail for the sending of vulnerability details. [05/26/10] Vulnerability details sent. [05/26/10] Answer received informing that vulnerability did not exist on latest versions of the product. [07/15/11] Advisory published. Credits: PontoSec - Segurança da Informação < http://www.pontosec.com > - Researcher: Gabriel Lima (gabriel pontosec.com) ======================================================================= Community Server - Reflected Cross-Site Scripting - TagSelector.aspx - Product description: Community Server is a communities and collaboration web application developed by Telligent. It uses ASP.NET platform (C#) and Microsoft SQL Server database. From it's 5.0 version, the software was renamed to Telligent Community. - Vulnerability Details: It is possible to insert scripts at the page (Cross-site Scripting) through the TagEditor parameter (GET) from /utility/TagSelector.aspx. - Proof of Concept: When accessing the TagSelector.aspx file, setting the TagEditor value as “ ‘);%0Aalert(1); ”, an alert box containing a number 1 appears, confirming the vulnerability. Example: http://site.example/utility/TagSelector.aspx?TagEditor=’);%0Aalert(1); - Affected Versions: Community Server 2007 Community Server 2008 (may affect others) - Unaffected Versions: Telligent Community 5.x or earlier - Timeline: [05/25/10] Vulnerability details sent to address for security related contacts present at company's website, although the address did not exist. [05/26/10] Ticket opened asking for contact to send off vulnerability details. [05/26/10] Ticket's answer received, containing e-mail for the sending of vulnerability details. [05/26/10] Vulnerability details sent. [05/26/10] Answer received informing that vulnerability did not exist on latest versions of the product. [07/15/11] Advisory published. Credits: PontoSec - Segurança da Informação < http://www.pontosec.com > - Researcher: Gabriel Lima (gabriel pontosec.com) ======================================================================= Community Server - Stored Cross-site Scripting in user's signature. - Product description: Community Server is a communities and collaboration web application developed by Telligent. It uses ASP.NET platform (C#) and Microsoft SQL Server database. From it's 5.0 version, the software was renamed to Telligent Community. - Vulnerability Details: It is possible to insert scripts (Cross-site Scripting) in user's signature, using BBCode Tag's processing errors. - Proof of Concept: Set an user's signature to: [img]invalid.jpg[url= onerror=alert(1) z=] a[/url][/img] An alert will be show in every topic the user posts in and also in its profile. - Affected Versions: Community Server 2007 (may affect others) - Unaffected Versions: Telligent Community 5.x or earlier - Timeline: [05/25/10] Vulnerability details sent to address for security related contacts present at company's website, although the address did not exist. [05/26/10] Ticket opened asking for contact to send off vulnerability details. [05/26/10] Ticket's answer received, containing e-mail for the sending of vulnerability details. [05/26/10]Vulnerability details sent. [05/26/10] Answer received informing that vulnerability did not exist on latest versions of the product. [07/15/11] Advisory published. - Credits: PontoSec - Segurança da Informação < http://www.pontosec.com > - Researcher: Gabriel Lima (gabriel pontosec.com)