Windu CMS 2.2 Multiple Persistent Cross-Site Scripting Vulnerabilities
Title: Windu CMS 2.2 Multiple Persistent Cross-Site Scripting Vulnerabilities
Advisory ID: ZSL-2013-5148
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 24.07.2013
Apache 2.4.2 (Win32)
PHP 5.4.7
MySQL 5.5.25a
[23.07.2013] Contact with the vendor.
[24.07.2013] No reply from the vendor.
[24.07.2013] Public security advisory released.
[2] http://cxsecurity.com/issue/WLB-2013070188
[3] http://packetstormsecurity.com/files/122537
[4] http://www.exploit-db.com/exploits/27128/
[5] http://xforce.iss.net/xforce/xfdb/85976
[25.07.2013] - Added reference [2] and [3]
[28.07.2013] - Added reference [4]
[29.07.2013] - Added reference [5]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2013-5148
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 24.07.2013
Summary
Windu CMS is a simple, lightweight and fun-to-use website content management software.Description
Multiple stored XSS vulnerabilities exist when parsing user input to the 'name' and 'username' POST parameters. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user's browser session.Vendor
Adam Czajkowski - http://www.windu.orgAffected Version
2.2 rev 1430Tested On
Microsoft Windows 7 Ultimate SP1 (EN)Apache 2.4.2 (Win32)
PHP 5.4.7
MySQL 5.5.25a
Vendor Status
[21.07.2013] Vulnerabilities discovered.[23.07.2013] Contact with the vendor.
[24.07.2013] No reply from the vendor.
[24.07.2013] Public security advisory released.
PoC
winducms_xss.htmlCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://www.securityfocus.com/bid/61428[2] http://cxsecurity.com/issue/WLB-2013070188
[3] http://packetstormsecurity.com/files/122537
[4] http://www.exploit-db.com/exploits/27128/
[5] http://xforce.iss.net/xforce/xfdb/85976
Changelog
[24.07.2013] - Initial release[25.07.2013] - Added reference [2] and [3]
[28.07.2013] - Added reference [4]
[29.07.2013] - Added reference [5]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk