Home page logo

oss-sec logo oss-sec mailing list archives

CVE Request -- Zikula (v1.3.x) -- XSS flaw due improper sanitization of 'themename' parameter by setting default, modifying and deleting themes
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Thu, 08 Sep 2011 15:19:13 +0200

Hello Josh, Steve, vendors,

  it was found that the Zikula web application framework did not
properly sanitize the 'themename' parameter, while setting particular
theme as a default one, modifying the theme or deleting it. A remote
attacker, with Zikula administrator privilege, could use this flaw to
execute arbitrary HTML or web script code in the context of the
affected website.

[1] http://www.securityfocus.com/archive/1/519565/30/0/threaded
[2] https://www.htbridge.ch/advisory/xss_in_zikula.html
[3] https://bugzilla.redhat.com/show_bug.cgi?id=736707

Relevant upstream patch:
[4] https://github.com/zikula/core/commit/c27dc3ddce8c9ff519ed57397e3bdf8f281aade6

Vulnerable Zikula versions: Development versions prior to patch [4].
Not vulnerable versions: Zikula v1.2.7 (stable). Doesn't contain
                         code in question yet.

Provided PoC (from [1], [2]):
http://host/index.php?module=theme&type=admin&func=setasdefault&themename=%3Cscript%3Ealert%28docu ment.cookie%29%3C/script%3E

Could you allocate a CVE id for this?

Thanks && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]