oss-sec mailing list archives
Re: CVE Request -- Zikula (v1.3.x) -- XSS flaw due improper sanitization of 'themename' parameter by setting default, modifying and deleting themes
From: Josh Bressers <bressers () redhat com>
Date: Fri, 9 Sep 2011 13:50:44 -0400 (EDT)
Please use CVE-2011-3352 Thanks. -- JB ----- Original Message -----
Hello Josh, Steve, vendors, it was found that the Zikula web application framework did not properly sanitize the 'themename' parameter, while setting particular theme as a default one, modifying the theme or deleting it. A remote attacker, with Zikula administrator privilege, could use this flaw to execute arbitrary HTML or web script code in the context of the affected website. References: [1] http://www.securityfocus.com/archive/1/519565/30/0/threaded [2] https://www.htbridge.ch/advisory/xss_in_zikula.html [3] https://bugzilla.redhat.com/show_bug.cgi?id=736707 Relevant upstream patch: [4] https://github.com/zikula/core/commit/c27dc3ddce8c9ff519ed57397e3bdf8f281aade6 Vulnerable Zikula versions: Development versions prior to patch [4]. Not vulnerable versions: Zikula v1.2.7 (stable). Doesn't contain code in question yet. Provided PoC (from [1], [2]): ============================= http://host/index.php?module=theme&type=admin&func=setasdefault&themename=%3Cscript%3Ealert%28docu ment.cookie%29%3C/script%3E Could you allocate a CVE id for this? Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Current thread:
- CVE Request -- Zikula (v1.3.x) -- XSS flaw due improper sanitization of 'themename' parameter by setting default, modifying and deleting themes Jan Lieskovsky (Sep 08)
- Re: CVE Request -- Zikula (v1.3.x) -- XSS flaw due improper sanitization of 'themename' parameter by setting default, modifying and deleting themes Josh Bressers (Sep 09)