exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

DSECRG-08-008.txt

DSECRG-08-008.txt
Posted Feb 4, 2008
Authored by Sh2kerr, Stas Svistunovich | Site dsecrg.com

Txp CMS version 4.0.5 suffers from denial of service and cross site scripting vulnerabilities.

tags | exploit, denial of service, vulnerability, xss
SHA-256 | 2fdd84f0f08dccc171b4b663b4751aba2d0763cf7b9d357f90d9a9c425e23b32

DSECRG-08-008.txt

Change Mirror Download

Digital Security Research Group [DSecRG] Advisory #DSECRG-08-008


Application: Txp CMS
Versions Affected: 4.0.5
Vendor URL: http://www.textpattern.com
Bugs: DOS, multiple XSS, etc.
Exploits: YES
Reported: 11.01.2008
Vendor response: 14.01.2008
Patch Released: 03.02.2008
Date of Public Advisory: 04.02.2008
Authors: Alexandr Polyakov, Stas Svistunovich
Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)



Description
***********

Textpattern system has multiple security vulnerabilities:

1. Parameter Value Overflow
2. Linked XSS
3. XSS in POST
4. Stored XSS
5. Insecure password changing algorithm


Details
*******

1. Parameter Value Overflow

Vulnerability found in script index.php in comments section. Post parameter "message".

The application does not ensure that the parameter value length. It can be used for performing a DOS attack.


Example:

message = [A]x10000

--------------------------------------------------------------------------------------------


2. Linked XSS vulnerability found in /textpattern/setup/index.php, attacker can inject XSS in URL string.


Example:

http://[server]/[installdir]/textpattern/setup/index.php/"><script>alert('DSecRG XSS')</script>

--------------------------------------------------------------------------------------------


3. XSS in POST

Vulnerability found in script index.php in comments section. Post parameter "name".


Example:

name = <img src="javascript:alert('DSecRG XSS')">

name = <script>alert('DSecRG XSS')</script>

--------------------------------------------------------------------------------------------


4. Stored XSS

Vulnerability found in script textpattern/index.php?event=article in post parameter "Body".


Example:

Body = <IMG SRC=javascript:alert("DSecRG_XSS")>

--------------------------------------------------------------------------------------------


5. Insecure password changing algorithm

Previous password not required to set a new password.

If attacker gain access to admin session by using XSS vulnerability, he can change admin password without knowing old password.

It will be more secure to ask old password when changing password or primary email.


Fix Information
***************

Textpattern was altered to fix this flaw on 03.02.2008. Updated version (4.0.6) can be downloaded here:
http://textpattern.com/download



About
*****

Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.


Contact: research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)



--

Digital Security Research Group mailto:research@dsec.ru
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    0 Files
  • 5
    Mar 5th
    0 Files
  • 6
    Mar 6th
    0 Files
  • 7
    Mar 7th
    0 Files
  • 8
    Mar 8th
    0 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    0 Files
  • 14
    Mar 14th
    0 Files
  • 15
    Mar 15th
    0 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close