phpCMS Cross Site Scripting and Information Disclosure Issues
28 Nov. 2004
Summary
"phpCMS is a content management system, which convinces in particular by small system requirements, high performance and above all its flexibility. phpCMS is suitable for small private web pages and also for complex professional appearances and high traffic websites including the integration of webservices and external applications."
An input validation error in the system's code paves the way for an XSS vulnerability which is exploitable through at least one argument.
Vulnerable Systems:
* phpCMS version 1.2.1 and prior
Immune Systems:
* phpCMS version 1.2.1.pl1
An implementation error in the validation of the user input may lead to an XSS vulnerability allowing the malicious user to conduct cross site scripting attacks. In addition, the specifics of the problem allow the malicious attacker to gain information about the server's configuration when phpCMS is configured in non-stealth mode with debug mode enabled.
The error page displays the input supplied by the user, without filtering, and in addition the full path to the phpCMS root directory.
Proof of concept: http://[somehost]/parser/parser.php?file=donotexist
->
phpCMS 1.2.1
Error: 07: could not find file for parsing.
/var/www/localhost/htdocsdonotexists/index.htm
Vendor Status:
The vendor has already supplied a fixed version of the system. Users are encouraged to upgrade to the newer 1.2.1.pl1 version. In any case it would be best not to run the system in non-stealth mode combined with debug mode with untrusted access.
