Full Disclosure mailing list archives
XSS in Synkron.web CMS
From: gyrniff <b240503 () gyrniff dk>
Date: Fri, 6 Jun 2003 10:58:51 +0200
Release Date: 06.06.2003 Application: Synkron.web 3 Vendor: http://www.synkron.com/ Category: XSS Risk: Low Vendor Status: Absend Author: Torben 'Gyrniff' Frohn Intro ==== Synkron.web 3 is a module based CMS running on IIS. "Ever since 1997, it has been Synkron's mission to help companies manage on their own when setting up a presence on the Internet. To achieve this, Synkron has developed a so-called "Web content management" system, which everyone with a user-level knowledge of IT can learn to use in less than a single day." (quote from vendor site.) Problem ====== The search module do not html encode incoming special characters in the output. It is not an easy task to exploit because of the POST method used in the search, but synkron .web have a caching that could be used in an exploit. Proof of Concept ============= First visit the search page: http://www.example.net/sw000.asp Then search for: "><script>alert('test')</script> You will see a javascript pop-up. Finally visit the cached page: http://www.example.net/sw000.asp?SearchCacheId=xx\ &SearchPageNumberII=1&SearchParaId=y&SearchParaType=zzz This will show the same javascript pop-up as above. Full Disclosure =========== N/A, but http://www.synkron.com/ contain links to vulnerable sites. Fix === Unknown but probably fixed in version 3.5. Credits ===== Vulnerability found by Torben Frohn (Gyrniff) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- XSS in Synkron.web CMS gyrniff (Jun 06)