OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: gcsb (gcsbnzyahoo.com)
Date: Sat Apr 20 2002 - 02:51:53 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Overview
    --------

    PostCalendar is an add-on for the popular PostNuke
    content management system. It provides a calender that
    lets users add events to.

    Problem
    -------

    A user can add an event with unchecked HTML tags in.
    This includes the <script> tag which allows an
    attacker to steal cookies, redirect the site and much
    more.

    Exploit
    -------

    As a logged in user, enter a bogus calendar entry
    WITHOUT any html. Hit the preview button. On the
    screen you get from that, alter your post to contain
    your favorite javascript in between <script></script>
    tags. Hit submit.
    When a user goes to view your event, the javascript
    will execute. (the calander block is not affected by
    this, only the main pages).

    Vendor Status
    -------------

    Vendor notified 19/Apr/2002 21:19 PDT. Initial
    responce recieved 20 Apr 2002 01:41 PDT (very nice!).
    Patch sent to me a few hours later. (Yahoo has it's
    times in PDT, ah well). Cool vendor! Thanks dude!

    Unsure of next version release, but asked vendor to
    release patch if nothing else. Asked vendor if I could
    include patch in advisory - but I think he went to
    sleep (it was 3:30am his time)...:\

    I'll include it anyhow, I'm sure he won't mind :) You
    might want to check it doesn't break your site
    though...i will take no responsibilty!!! :)

    Sign Off
    --------

    Greets to all the nz2600 peeps!

    Disclaimer: I don't work for the GCSB, ok? :)

    Thanks,
    gcsb.

    __________________________________________________
    Do You Yahoo!?
    Yahoo! Games - play chess, backgammon, pool and more
    http://games.yahoo.com/