Advisory: Reflecting XSS vulnerability in CMS Websitebaker v.2.8.3 SP3
Advisory ID: SROEADV-2015-03
Author: Steffen Rösemann
Affected Software: CMS Websitebaker v.2.8.3 SP3
Vendor URL: http://www.websitebaker.org/de/home.php
Vendor Status: Vendor did not respond
CVE-ID: CVE-2015-0553

Tested with:

- Firefox 34
- Mac OS X 10.10

==========================
Vulnerability Description:
==========================

In the administrative backend of the content management system Websitebaker
v. 2.8.3 SP3 resides a reflecting XSS vulnerability.

==================
Technical Details:
==================

The file "modify.php" in which the researcher Manuel Cardenas (see
timeline) already found a SQL injection vulnerability, is as well prone to
a reflecting XSS vulnerability via a hidden form-field.

Exploit-Example:

http://
{TARGET}/admin/pages/modify.php?page_id=1"><script>alert('XSS')</script><!--

=========
Solution:
=========

Vendor did not respond.


====================
Disclosure Timeline:
====================
29-Dec-2014 – found the vulnerability
29-Dec-2014 - compared to findings of Manuel Garcia Cardenas (see
http://seclists.org/fulldisclosure/2014/Nov/44)
04-Jan-2015 - informed the developers
04-Jan-2015 – release date of this security advisory [without technical
details]
04-Jan-2015 - requested a CVE-ID
05-Jan-2015 - received CVE-2015-0533 from Mitre
05-Jan-2015 - submitted CVE-2015-0533 to vendor
14-Jan-2015 - contacted vendor again via Twitter (see [3])
18-Jan-2015 - release date of this security advisory
18-Jan-2015 - send to lists




========
Credits:
========

Vulnerability found and advisory written by Steffen Rösemann.

===========
References:
===========

[1] http://www.websitebaker.org/de/home.php
[2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-03_4.html
[3] https://twitter.com/sroesemann/status/555397239229911040
[4]
http://sroesemann.blogspot.de/2015/01/report-for-advisory-sroeadv-2015-03.html