Family Connections CMS 2.3.2 (POST) Stored XSS And XML Injection
Title: Family Connections CMS 2.3.2 (POST) Stored XSS And XML Injection
Advisory ID: ZSL-2011-5004
Type: Remote
Impact: Cross-Site Scripting, System Access, Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data
Risk: (3/5)
Release Date: 25.03.2011
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41
High five to Michael Brooks
[2] http://www.securityfocus.com/bid/47037
[3] http://www.securityfocus.com/bid/47038
[4] http://www.exploit-db.com/exploits/17050/
[5] http://securityreason.com/wlb_show/WLB-2011030110
[6] http://securityreason.com/exploitalert/10206
[7] http://secunia.com/advisories/39760/
[26.03.2011] - Added reference [2], [3] and [4]
[28.03.2011] - Added reference [5] and [6]
[30.03.2011] - Changed title, PoC file and Credits
[02.04.2011] - Added reference [7]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2011-5004
Type: Remote
Impact: Cross-Site Scripting, System Access, Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data
Risk: (3/5)
Release Date: 25.03.2011
Summary
Family Connections is an open source content management system. It makes creating a private, family website easy and fun.Description
FCMS suffers from a stored XSS vulnerability (post-auth) in messageboard.php script thru the 'subject' post parameter. XML Inj. lies in the /inc/getChat.php script with 'users' get parameter with no args, and post parameter 'message'.--------------------------------------------------------------------------------
/inc/getChat.php
----------------
30: // New Chat text
31: if (isset($_POST['message']) && $_POST['message'] != '') {
32: $sql = "INSERT INTO fcms_chat_messages(chat_id, user_id, user_name, message, post_time)
33: VALUES (1, " . cleanInput($_POST['user_id']) . ", '" . cleanInput($_POST['name']) . "', '" . cleanInput($_POST['message']) . "', NOW())";
...
46: //Create the XML response.
47: $xml = '<?xml version="1.0" ?><root>';
48: // Get Users Online
49: if (isset($_GET['users']))
50: // Timezone stuff
51: $sql = "SELECT `timezone` FROM `fcms_user_settings` WHERE `user` = ".cleanInput($_GET['user_id']);
...
107: $xml .= '<text>' . htmlspecialchars($message_array['message']) . '</text>';
--------------------------------------------------------------------------------
Vendor
Ryan Haudenschilt - http://www.familycms.comAffected Version
2.3.2Tested On
Tested on: Microsoft Windows XP Professional SP3 (EN)Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41
Vendor Status
N/APoC
fccms_xml.htmlCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>High five to Michael Brooks
References
[1] http://packetstormsecurity.org/files/99734[2] http://www.securityfocus.com/bid/47037
[3] http://www.securityfocus.com/bid/47038
[4] http://www.exploit-db.com/exploits/17050/
[5] http://securityreason.com/wlb_show/WLB-2011030110
[6] http://securityreason.com/exploitalert/10206
[7] http://secunia.com/advisories/39760/
Changelog
[25.03.2011] - Initial release[26.03.2011] - Added reference [2], [3] and [4]
[28.03.2011] - Added reference [5] and [6]
[30.03.2011] - Changed title, PoC file and Credits
[02.04.2011] - Added reference [7]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk