Seagull STABLE version 0.6.3 suffers from multiple cross site scripting vulnerabilities.
7d451d9d5a98c7d6e782faf4ac2192048d2b61edb154b1cdd72bd858a52506c7
__fuzion___ ____
______/ \__// \__/____\
_/ \_/ : //____\\
/| : : .. / \
| | :: :: \ /
| | :| || \ \______/
| | || || |\ / |
\| || || | / | \
| || || | / /_\ \
| ___ || ___ || | / / \
\_-_/ \_-_/ | ____ |/__/ \
_\_--_/ \ /
/____ /
/ \ /
\______\_________/
Product:
Seagull STABLE 0.6.3
http://seagullproject.org/
Vulnerable:
Seems that none of the theme css renderers sanatize variables against cross site scripting.
Register Globals = ON
Multiple Cross Site Scripting problems:
http://[site]/themes/default1/css/blockStyle.php?secondary=[xss]
Also vulnerable:
themes/default1/css/core.php
themes/default1/css/event.php
themes/default1/css/media.php
themes/default1/css/publisher.php
themes/default1/css/SglDefault_TwoLevel.nav.php
themes/default1/css/SglListamaticSubtle.nav.php
themes/default_admin/css/adminMenu_vertical.nav.php
themes/default_admin/css/block.php
themes/default_admin/css/blockStyle.php
themes/default_admin/css/cms.php
themes/default_admin/css/comment.php
themes/default_admin/css/core.php
themes/default_admin/css/navigation.php
themes/default_admin/css/publisher.php
themes/default_admin/css/user.php
Some common vulnerable variables:
secondary
fontFamilyAlt
primaryLight
greyLightest
leftColWidth
grey
primaryDark
primary
baseUrl
Several of these cause path disclosure as well:
http://[site]/themes/default_admin/css/core.php
PoC:
http://demo.seagullproject.org/themes/default_admin/css/core.php
Other vulnerabilties may be available if Seagull was not properly installed:
http://[site]/[path]/etc/mysql5_field_test.php?res=[xss]
http://[site]/[path]/modules/event/www/css/event.php?baseUrl=[xss]
http://[site]/[path]/modules/media/www/css/media.php?greyDark=[xss]