[KAPDA::#27] - Runcms 1.x Cross_Site_Scripting vulnerability

KAPDA New advisory

Vulnerable products : Runcms 1.x
Vendor: www.runcms.org
Risk: Low
Vulnerabilities: Cross_Site_Scripting
Discoverd by Roozbeh Afrasiabi
roozbeh[at]yahoo[dot]com
www.kapda.ir
www.persiax.com


Date :
--------------------
Found : Jan 28 2006
Vendor Contacted : N/A

About :
--------------------
"Runcms Includes most things a webmaster would expect from a cms: downloads,links, tutorials section, polls, forums, news, faq, contact form,rss feeds,file uploads, blogging via xml-rpc, & more. Possibility to manage users as groups with module/block specific access permissions, and extend functioality via 3rd party module plug-ins. Has a simple yet good themability.
Easy enough to use for users, while staying simple enough to extend & customize for coders." (from runcms.org)


Vulnerability:
--------------------
Cross_Site_Scripting :

RUNCMS is affected by a cross-site scripting vulnerability. This issue is due to the failure of the application to properly sanitize user-
supplied input.

As a result of this vulnerability, it is possible for a remote attacker to create a malicious link containing script code that will be executed in the browser of an unsuspecting user when followed.


Detail and PoC :
--------------------


The application does not validate the "lid" variable upon submission
to ratefile.php.

h**p://[target]/public/modules/downloads/ratefile.php?lid={number}">[code]



Solution :
--------------------
N/A


Original Advisory :
--------------------
http://kapda.ir/advisory-267.html


Especial thanks to:
--------------------
All KAPDA members


Credit :
--------------------
Discoverd by Roozbeh Afrasiabi
roozbeh_afrasiabi[at]yahoo[dot]com
www.kapda.ir
www.persiax.com