Hotaru CMS 1.4.2 SITE_NAME Parameter Stored XSS Vulnerability

Title: Hotaru CMS 1.4.2 SITE_NAME Parameter Stored XSS Vulnerability
Advisory ID: ZSL-2011-5057
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 13.11.2011
Summary
Hotaru CMS is an open source, PHP platform for building your own websites. With flexible plugins and themes, you can make any site you like.
Description
The CMS suffers from multiple XSS vulnerabilities. Input thru the POST parameters 'SITE_NAME' (stored), 'return' (reflected) and the GET parameter 'search' (reflected) thru Hotaru.php, are not sanitized allowing the attacker to execute HTML code into user's browser session on the affected site.
Vendor
Hotaru CMS - http://www.hotarucms.org
Affected Version
1.4.2
Tested On
Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.21
MySQL 5.5.16
PHP 5.3.8
Vendor Status
N/A
PoC
hotarucms_xss.html
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://packetstormsecurity.org/files/106938
[2] http://securityreason.com/wlb_show/WLB-2011110045
[3] http://secunia.com/advisories/46842/
[4] http://www.securityfocus.com/bid/50657
[5] http://osvdb.org/show/osvdb/77095
[6] http://xforce.iss.net/xforce/xfdb/71300
[7] http://xforce.iss.net/xforce/xfdb/71301
[8] http://xforce.iss.net/xforce/xfdb/71302
[9] http://osvdb.org/show/osvdb/77680
[10] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4709
[11] http://www.naked-security.com/nsa/201744.htm
Changelog
[13.11.2011] - Initial release
[14.11.2011] - Added reference [1], [2] and [3]
[15.11.2011] - Added reference [4], [5], [6], [7] and [8]
[12.01.2012] - Added reference [9], [10] and [11]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk