Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2011-4340 to a friend New vulnerability? New tool? Tell us	CVE-2011-4340 Symphony Multiple SQL Injection and Cross Site Scripting Vulnerabilities     Credit: The information has been provided by Mesut Timur. The original article can be found at: http://www.mavitunasecurity.com/xss-and-sql-injection-vulnerabilities-in-symphony-cms/ Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2011-4340 Details Check for CVE-2011-4340 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * Symphony CMS 2.2.3 and possibly below Symphony CMS is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using the profile and filter parameters in a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. 1) Input passed via the "profile" parameter to the URL is not properly sanitised in extensions/profiledevkit/content/content.profile.php before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 2) Input passed via the "filter" parameter to symphony/publish/images is not properly sanitised in symphony/lib/core/class.symphony.php before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 3) Input passed via the "filter" parameter to symphony/publish/comments is not properly sanitised in symphony/content/content.publish.php before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Note: This vulnerability can further be exploited to conduct cross-site scripting attacks via SQL error messages. Successful exploitation of this vulnerability requires "Author" privileges. Example PoC urls are as follows : http://example.com/symphony/publish/comments/?filter='+(SELECT+1+FROM+(SELECT+SLEEP(25))A)+' http://example.com/symphony/publish/images/?filter='+(SELECT+1+FROM+(SELECT+SLEEP(25))A)+' http://example.com/?profile='"--></style></script><script>alert(1)</script> http://example.com/symphony/publish/comments/?filter='"--></style></script><script>alert(1)</script> http://example.com/symphony/publish/images/?filter='"--></style></script><script>alert(1)</script> http://example.com/about/?profile='"--></style></script><script>alert(1)</script> http://example.com/drafts/?profile='"--></style></script><script>alert(1)</script> Patch Availability: http://getsymphony.com/download/releases/version/2.2.4/ CVE Information: CVE-2011-4340 Disclosure Timeline: Release Date: 03 Nov 2011 Last Change:20 Feb 2012  Comments on CVE-2011-4340:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2017 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®