Related information

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

DeskPRO Admin Panel Multiple HTML Injections

PHP Blue Dragon CMS 3.0.0 Remote File Inclusion Vulnerability (0dd exploit)

JobLister3 SQL injection vulnerabilities

Neuron Blog Admin Permission Bypass and Remote File Upload Vulnerability

From:	webmaster_(at)_i-s-o.org <webmaster_(at)_i-s-o.org>
Date:	14.08.2007
Subject:	eXV2.de Browser Cookie is not properly sanitised

Details
=======
Product: eXV2.de CMS <= 2.0.5.
Severity: moderated
Remote-Exploit: yes
Vendor-URL: http://www.exv2.de/
Vendor-Status: informed
Advisory-Status: published

Credits
============
Discovered by: Vision aka n-tier
http://www.i-s-o.org

Original Advisory:
============
http://www.i-s-o.org/security.txt

Introduction
============
eXV2.de CMS is a Content Management System.

More Details
============
1. Cross Site Scripting:
Input passed directly to the "set_lang" parameter in the Browser Cookie is not properly sanitised before being returned to the user.
A user can sent a cookie to himself with ?/set_lang=deutsch and edit it.  
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Workaround: [Cross Site Scripting]
=============
Edit the source code to ensure that input is properly sanitised.


Example:

$my_Cookie_Vars =  $_COOKIE;

if (isset($my_Cookie_Vars['set_lang'])){
   if (($my_Cookie_Vars['set_lang'] == "deutsch")||($my_Cookie_Vars['set_lang'] == "english")||($my_Cookie_Vars['set_lang'] == "french")) {                       
       }  else {
           $abuse = true;
           $xoopsConfig['language'] = $xoopsConfig['default_language'];                 
       }    
}   


if ($abuse){
   die("The desired action could not be performed.");
}



History/Timeline
================
7.08.2007 discovery of the vulnerabilities
8.08.2007 additional tests with other versions
10.08.2007 contacted the vendor