oss-sec mailing list archives

CVE request: Havalite CMS 1.1.7 stored XSS vulnerability in comments of blog posts

From: Henri Salo <henri () nerv fi>
Date: Sun, 6 Jan 2013 16:20:30 +0200

Havalite CMS has stored XSS vulnerability in comments of blog posts. Example:

POST http://example.com/?p=1 "comment" with value %E2%80%9C%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E

Tested in 1.1.7 (cbd391e913d04224225cf924a7fcb2b5), which was uploaded 2012-11-07 to sourceforge.net. I tried to 
contact vendor without response.

https://sourceforge.net/projects/havalite/files/

Some other notes:
- CVE-2012-5919 still not fixed in 1.1.7 version
- CVE-2012-5893 does not work without administrator privileges, but uploaded files are executed (for example PHP)
- Typos in "readme.html"
- 777 modes not needed even it was in several places. 711 is enough for content directories

I recommend not to use this software before these vulnerabilities are fixed.

---
Henri Salo
ps. I have regression tests for these issues if someone needs :)
pss. Please note that havalite.com is not affected by this issue for some reason

Current thread:

CVE request: Havalite CMS 1.1.7 stored XSS vulnerability in comments of blog posts Henri Salo (Jan 06)
- Re: CVE request: Havalite CMS 1.1.7 stored XSS vulnerability in comments of blog posts Kurt Seifried (Jan 07)