NetCat is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the search and post modules. A remote attacker could exploit this vulnerability using the search_query and redirect_url parameters in a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.Multiple client side cross site scripting and http parameter pollution vulnerabilities are detected in the russian Bce NetCat v5.0.1 content management system.The non persistent cross site scripting vulnerabilities allow remote attackers to form malicious client side web requests to steal cms customer session information. The client side crlf vulnerability allows remote attackers to change the GET and POST request with own values to manipulate the http protocol request.
The first client side cross site scripting vulnerability is located in the search module with the bound vulnerable search_query application parameter.The secound http parameter pollution vulnerability is located in the post.php file when processing to request via the
bound vulnerable redirect_url parameter request.
Successful exploitation of the vulnerabilities can result in client side http parameter manipulation via post/get, client side phishing, client side cookie stealing via cross site scripting and client side cms web context manipulation.
Proof of Concept:
1. Client Side - Cross Site Scripting
The client side cross site scripting vulnerabilities can be exploited by remote attackers without privileged application user account and with medium or high required user inter action. For demonstration or reproduce ...
1.2 - In search_query parameter.
http://site.127.0.0.1:3666/search/?search_query= onmouseover=prompt(document.cookie) bad=
2. Client Side via POST - CRLF injection/HTTP Parameter Pollution
The client side crlf vulnerability can be exploited by remote attackers without privileged application user
account and with medium or high required user inter action. For demonstration or reproduce ...
In /netcat/modules/netshop/post.php URL encoded POST input redirect_url was set to NetCatStatus:hacked_by_seceffect
The security risk of the client side cross site scripting vulnerabilities are estimated as low(+)|(-)medium.
The security risk of the http parameter pollution vulnerability is estimated as medium(-).
2012-10-31: Public Disclosure