XSS in Synkron.web CMS

[gyrniff <b240503 () gyrniff dk>]

Release Date:   06.06.2003 
Application:    Synkron.web 3  
Vendor:         http://www.synkron.com/          
Category:               XSS 
Risk:                   Low 
Vendor Status:  Absend                   
Author:         Torben 'Gyrniff' Frohn
 
Intro 
==== 
Synkron.web 3 is a module based CMS running on IIS. 
 
"Ever since 1997, it has been Synkron's mission to help companies manage on 
their own when setting up a presence on the Internet. To achieve this, 
Synkron has developed a so-called "Web content management" system, which 
everyone with a user-level knowledge of IT can learn to use in less than a 
single day." (quote from vendor site.) 
 
Problem 
====== 
The search module do not html encode incoming special characters in the 
output.  It is not an easy task to exploit because of the POST method used in 
the search, but synkron .web have a caching that could be used in an exploit.  
 
Proof of Concept 
============= 
First visit the search page: 
        http://www.example.net/sw000.asp 
Then search for: 
        "><script>alert('test')</script> 
You will see a javascript pop-up. 
Finally visit the cached page: 
        http://www.example.net/sw000.asp?SearchCacheId=xx\ 
        &SearchPageNumberII=1&SearchParaId=y&SearchParaType=zzz 
This will show the same javascript pop-up as above. 
 
Full Disclosure 
=========== 
N/A, but http://www.synkron.com/ contain links to vulnerable sites. 
 
Fix 
=== 
Unknown but probably fixed in version 3.5. 
 
Credits 
===== 
Vulnerability found by Torben Frohn (Gyrniff) 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html