Artiphp CMS v5.5.0 Multiple XSS POST Injection Vulnerabilities
Title: Artiphp CMS v5.5.0 Multiple XSS POST Injection Vulnerabilities
Advisory ID: ZSL-2012-5090
Type: Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 16.05.2012
Apache 2.2.21
PHP 5.3.8
MySQL 5.5.20
[2] http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5089.php
[3] http://cxsecurity.com/issue/WLB-2012050120
[4] http://packetstormsecurity.org/files/112804
[5] http://www.1337day.com/exploits/18288
[6] http://www.securityfocus.com/bid/53586
[7] http://secunia.com/advisories/49195
[8] http://xforce.iss.net/xforce/xfdb/75689
[9] http://www.osvdb.org/show/osvdb/81990
[10] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-2906
[18.05.2012] - Added reference [4], [5], [6], [7] and [8]
[22.05.2012] - Added reference [9]
[26.05.2012] - Added reference [10]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2012-5090
Type: Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 16.05.2012
Summary
Artiphp is a content management system (CMS) open and free to create and manage your website.Description
Artiphp CMS suffers from multiple cross-site scripting vulnerabilities via several parameters thru POST method. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user's browser session.Vendor
Artiphp - http://www.artiphp.comAffected Version
5.5.0 Neo (r422)Tested On
Microsoft Windows XP Professional SP3 (EN)Apache 2.2.21
PHP 5.3.8
MySQL 5.5.20
Vendor Status
N/APoC
artiphp_xss.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5088.php[2] http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5089.php
[3] http://cxsecurity.com/issue/WLB-2012050120
[4] http://packetstormsecurity.org/files/112804
[5] http://www.1337day.com/exploits/18288
[6] http://www.securityfocus.com/bid/53586
[7] http://secunia.com/advisories/49195
[8] http://xforce.iss.net/xforce/xfdb/75689
[9] http://www.osvdb.org/show/osvdb/81990
[10] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-2906
Changelog
[16.05.2012] - Initial release[18.05.2012] - Added reference [4], [5], [6], [7] and [8]
[22.05.2012] - Added reference [9]
[26.05.2012] - Added reference [10]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk