the original cloud security

Ektron CMS 8.7 Cross Site Scripting

Ektron CMS 8.7 Cross Site Scripting
Posted Apr 16, 2014
Authored by Joseph Zeng Xianbo

Ektron CMS version 8.7 suffers from a cross site scripting vulnerability.

tags | exploit, xss
advisories | CVE-2014-2729
MD5 | cd75297bb41a0089c579e9b2f075afec

Ektron CMS 8.7 Cross Site Scripting

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stored Cross Site Scripting in Ektron CMS 8.7

CVE reference: CVE-2014-2729
Affected platforms: Ektron Web Content Management System
Version: 8.7.0
Date: 2013-December-19
Security risk: Medium (CVSS - AV:N/AC:L/Au:S/C:P/I:P/A:N)
Researcher: Joseph Zeng Xianbo
Vendor Status: Issue reported to be patched in Ektron CMS 8.7.0.055
SP2 Patch Update: 8.7.0.055.2.015).

=====================================================================
Description:

During an internal penetration test exercise for a client, a stored
Cross Site Scripting vulnerability was discovered in the HTTP parameter
‘category0’ of the affected webpage. The application stored the payload
and executed the payload when the page was loaded.

This vulnerability has been assigned CVE-2014-2729.

=====================================================================
Steps to demonstrate issue:
1. Login to the CMS Workarea
2. Click on the Content tab
3. On the Folders subpanel, right click on an existing folder. Click
the 'Add Discussion Board' button
4. On the Properties tab, complete all mandatory fields
5. Click on the Templates tab and select a template on the Templates
page
6. Click on the Subjects tab
7. Click the 'Add Subject' button
8. Fill in the Subject field with the text 'testing text'
9. Click the 'Add Discussion Board' button
10. Use a proxy tool such as Burp Suite Professional. Allow the HTTP
GET request to AJAXbase.aspx to be sent unmodified to the server.
11. Intercept the HTTP POST request to content.aspx with Burp proxy
tool
12. Modify the value of the HTTP parameter 'category0' to
'testing+text<iframe src="http://example.com"></iframe>'
13. Send the modified HTTP POST request
14. On the Folder subpanel, right click on the newly created
discussion board
15. Click “View Properties” from the menu which appears
16. Click on the Subjects tab
17. You should observe that the malicious JavaScript code is
successfully executed

Note that repeating steps 7 to 8 and repeating the step 12 for the
corresponding parameters (e.g. 'category1', 'category2')

=====================================================================
Possible Impact

Malicious authenticated users could inject specially crafted
JavaScript code into multiple input fields of the affected form
(Add Discussion Board) which gets stored. When an administrative user
subsequently retrieves and views the records from the administrative
interface, the injected malicious JavaScript code will be executed
in his/her web browsers.

=====================================================================
Credits

This vulnerability was discovered by Joseph Zeng Xianbo

=====================================================================
History (GMT +8)

14 Aug 2013 - Vulnerability discovered and reported to client. Client reports it to System Integrator and Ektron.
6 Dec 2013 - Test on Ektron CMS 8.70 SP 2 shows vulnerability is still present
10 Mar 2014 - Test on patched Ektron CMS shows vulnerability has been resolved
26 Mar 2014 - Secunia informed of vulnerability
3 Apr 2014 - Secunia declines to issue advisory as Ektron CMS version 9 supersedes patched version. Case referred to MITRE.
5 Apr 2014 - CVE identifier assigned for this vulnerability
7 Apr 2014 - Ektron contacted for patch details
8 Apr 2014 - Ektron asks System Integrator for patch details
10 Apr 2014 - System Integrator gives notification of patch details
16 Apr 2014 - Advisory Released.
=====================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJTTokOAAoJEC7dR+igIW6kRf0H/34IM2qxQraoAXlHe0PjAqA+
3dkgrDQxNy0cpnYJ6yFTq4j55UdYBQHRDUCAxZTztCVwUpDKUC+CrYAFYTdBQrDh
4fQUL0BLDTsD6SOO61mY0M+/ZEywrLNzB7kYc4P9Er4BCVFQwJ00teCD5NP8L6dZ
Upzux8rdO7MlBsngfSOGxjzfdxNNwZJyGet5b4zej7uniwE5EHlyFVEpLgOd0Sua
9qEg7Y8V/IHoWiRX2yapvliQDmoSi9qLHxuPNiAFkHJ6qqR7UvwnuxdLlzsFCvQn
EHC7MVk2wcyPEjzTLCDxmt6U9qHju8kqRA2SZYQPEGsl3McfZLyrvXN8lZHCV+I=
=iInp
-----END PGP SIGNATURE-----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    2 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    28 Files
  • 26
    Jul 26th
    2 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close