|
|
| |
"phpCMS is a content management system, which convinces in particular by small system requirements, high performance and above all its flexibility. phpCMS is suitable for small private web pages and also for complex professional appearances and high traffic websites including the integration of webservices and external applications."
An input validation error in the system's code paves the way for an XSS vulnerability which is exploitable through at least one argument. |
| |
Credit:
The information has been provided by Cyrille Barthelemy.
|
| |
Vulnerable Systems:
* phpCMS version 1.2.1 and prior
Immune Systems:
* phpCMS version 1.2.1.pl1
An implementation error in the validation of the user input may lead to an XSS vulnerability allowing the malicious user to conduct cross site scripting attacks. In addition, the specifics of the problem allow the malicious attacker to gain information about the server's configuration when phpCMS is configured in non-stealth mode with debug mode enabled.
Example:
http://[somehost]/parser/parser.php?file=<scr!pt>alert(document.cookie)</scr!pt>
The error page displays the input supplied by the user, without filtering, and in addition the full path to the phpCMS root directory.
Proof of concept:
http://[somehost]/parser/parser.php?file=donotexist
->
phpCMS 1.2.1
Error: 07: could not find file for parsing.
/var/www/localhost/htdocsdonotexists/index.htm
Vendor Status:
The vendor has already supplied a fixed version of the system. Users are encouraged to upgrade to the newer 1.2.1.pl1 version. In any case it would be best not to run the system in non-stealth mode combined with debug mode with untrusted access.
Disclosure Timeline:
2004/11/24 - Vulnerability discovered
2004/11/24 - Vendor notified
2004/11/25 - Vendor response
2004/11/25 - Fix released
|
|
|
