Re: [MajorSecurity SA-081]Contao CMS 2.9.2 - Persistent Cross Site Scripting Issue

[Henri Salo <henri () nerv fi>]

On Wed, Jan 12, 2011 at 03:51:15PM -0700, david.kurz () majorsecurity net wrote:
> [MajorSecurity SA-081]Contao CMS 2.9.2 - Persistent Cross Site Scripting Issue
>
> Details
> =============
> Product: Contao CMS 2.9.2
> Security-Risk: moderated
> Remote-Exploit: yes
> Vendor-URL: http://www.contao.org/
> Advisory-Status: published
>
> Credits
> =============
> Discovered by: David Vieira-Kurz
>
> Affected Products:
> =============
> Contao CMS 2.9.2
> Prior versions may also be vulnerable
>
> Description
> =============
> "Contao is an open source content management system (CMS) for people who want a professional internet presence that 
> is easy to maintain." - from www.contao.org
>
> More Details
> =============
> I have discovered some vulnerabilities in Contao CMS 2.9.2, which can be exploited by malicious people to conduct 
> persistent cross-site scripting attacks. Input passed directly over the "HTTP_X_FORWARDED_FOR" header in 
> "/system/libraries/Environment.php" is not properly sanitised before being stored and returned to the user out from 
> the "/system/modules/comments/Comments.php" file when the user browses the "/contao/main.php?do=comments" site. This 
> can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
>
> Solution
> =============
> Update to the patched version 2.9.3.
>
> Timeline
> ================
> 2010-12-24, vendor informed ( see ticket 2751 )
> 2011-01-01, vendor confirmed the issue
> 2011-01-06, vendor relased a patched version(2.9.3)
> 2011-01-12, advisory published
>
> Use of terms
> ================
> Unaltered electronic reproduction of this advisory is permitted. For all other reproduction or publication, in 
> printing or otherwise, contact us for permission. Use of the advisory constitutes acceptance for use in an "as is" 
> condition. All warranties are excluded. In no event shall MajorSecurity be liable for any damages whatsoever 
> including direct, indirect, incidental, consequential, loss of business profits or special damages, even if 
> MajorSecurity has been advised of the possibility of such damages.

CVE-2011-0508

- Henri Salo