MySource Matrix 3.28.3 (height) Remote Reflected XSS Vulnerability

Title: MySource Matrix 3.28.3 (height) Remote Reflected XSS Vulnerability
Advisory ID: ZSL-2010-4962
Type: Remote
Impact: Cross-Site Scripting
Risk: (2/5)
Release Date: 06.09.2010
Summary
MySource Matrix is a powerful Open Source Content Management System (CMS) written in PHP and is suitable for many types of organisations.
Description
Input passed via the "height" parameter to char_map.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

--------------------------------------------------------------------------------

182: // <?php echo $_REQUEST['width'];?>;
183: // <?php echo $_REQUEST['height'];?>;

--------------------------------------------------------------------------------

Vendor
Squiz Pty Ltd. - http://www.matrix.squiz.net/
Affected Version
3.28.3
Tested On
Microsoft Windows XP Professional SP3 (EN)
PHP 5.3.0
MySQL 5.1.36
Apache 2.2.11 (Win32)
Vendor Status
[05.09.2010] Vulnerability discovered.
[06.09.2010] Vendor contacted.
[06.09.2010] Vendor replied asking details.
[06.09.2010] Sent analysis report to vendor.
[06.09.2010] Vendor verifies vulnerability.
[06.09.2010] Vendor releases fix versions 3.26.8 and 3.28.4.
[06.09.2010] Public advisory released.
PoC
mysource_xss.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://matrix.squiz.net/developer/changelogs/3.28.x/3.28.3-3.28.4
[2] http://securityreason.com/wlb_show/WLB-2010090027
[3] http://secunia.com/advisories/41295/
[4] http://osvdb.org/show/osvdb/67838
[5] http://www.packetstormsecurity.org/filedesc/ZSL-2010-4962.txt.html
[6] http://www.securityfocus.com/bid/43020
[7] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4901
Changelog
[06.09.2010] - Initial release
[07.09.2010] - Added reference [2] and [3]
[08.09.2010] - Added reference [4], [5] and [6]
[12.10.2011] - Added reference [7]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk