OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[Full-disclosure] Content Management Framework "G3" - XSS Vulnerability in Search Function

From: Stefan Friedli (stefan.friedli.listgmail.com)
Date: Wed Aug 02 2006 - 05:13:37 CDT


Content Management Framework "G3" - XSS Vulnerability in Search Function

INTRO
According to the manufacturer, "G3" is a classic content-management-system,
allowing customers to manage their own websites without knowing much about
webpublishing.
Information about the product is available at:
http://www.inm.ch/g3.cms/s_page/56770

DESCRIPTION
Stefan Friedli discovered a XSS Vulnerabilty in the search module used by
many websites powered by G3. By using the chars "<" ">" and quotes, the form
can be used to include script code. As there seems to be no determination
between parameters being passed by GET or POST, it's possible to pass
manipulated content to other users using a simple link passing the parameter
search_string.

EXPLOIT
Classic browser-based script injection techniques are sufficient to exploit
this vulnerability.

POSSIBLE IMPACT
As most XSS vulnerabilities, the impact of this flaw depends on the page
being attacked. In this case, a "trusted" site may be used to exploit
vulnerabilities in older browsers or compromise accounts on sites using
authentication. For several customers of INM, this flaw could cause some
additional trouble because of possible phising attacks using this
vulnerability to trick customers.

SOLUTION
The vulnerabilty has not been addressed yet. A patch implementing basic
input validation would solve the problem.

VENDOR RESPONSE
INM has been informed about this vulnerability on 2006-07-06. A reminder was
sent 14 days after. There has been no reaction on any message according this
issue.

TIMELINE
2006-07-05 - Discovery
2006-07-06 - INM has been informed about the flaw
2006-07-20 - Reminder has been sent
2006-08-02 - Public advisory has been published

CREDITS
This vulnerabilty was discovered by Stefan Friedli. It may be redistributed
as-is.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/