Textpattern 4.2.0 (txplib_db) Null Termination Cross-Site Scripting Vulnerability

Title: Textpattern 4.2.0 (txplib_db) Null Termination Cross-Site Scripting Vulnerability
Advisory ID: ZSL-2010-4963
Type: Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 08.09.2010
Summary
Textpattern is an open source content management system unlike any other; it allows you to easily create, edit and publish content and make it beautiful in a professional, standards-compliant manner.
Description
Textpattern CMS version 4.2.0 suffers from a XSS vulnerability. Input passed via the "q" parameter to Textpattern (TXP) Tag Library (txplib_db.php) is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

--------------------------------------------------------------------------------

Tag error: -> Textpattern Warning: Got error 'empty (sub)expression' from regexp select count(*) from textpattern where 1=1 and Status = 4 and Posted <= now() and (now() <= Expires or Expires = '0000-00-00 00:00:00') and (`Title` rlike '\0' or `Body` rlike '\0') on line 85

Tag error: -> Textpattern Warning: Got error 'empty (sub)expression' from regexp select *, unix_timestamp(Posted) as uPosted, unix_timestamp(Expires) as uExpires, unix_timestamp(LastMod) as uLastMod, match (`Title`, `Body`) against ('\0') as score from textpattern where 1=1 and Status = 4 and Posted <= now() and (now() <= Expires or Expires = '0000-00-00 00:00:00') and (`Title` rlike '\0' or `Body` rlike '\0') order by score desc limit 0, 5 on line 85

Line 71 - \TEXTPATTERN_ROOT_FOLDER\textpattern\lib\txplib_db.php: function safe_query($q='',$debug='',$unbuf='')

--------------------------------------------------------------------------------

Vendor
Team Textpattern - http://www.textpattern.com
Affected Version
4.2.0
Tested On
Microsoft Windows XP Professional SP3 (EN)
PHP 5.3.0
MySQL 5.1.36
Apache 2.2.11 (Win32)
Vendor Status
[05.09.2010] Vulnerability discovered.
[05.09.2010] Initial contact with the vendor.
[07.09.2010] No reply from vendor.
[08.09.2010] Public advisory released.
PoC
textp_xss.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.packetstormsecurity.org/filedesc/ZSL-2010-4963.txt.html
[2] http://www.securityfocus.com/bid/43055
[3] http://secunia.com/advisories/41305/
[4] http://osvdb.org/show/osvdb/67850
[5] http://xforce.iss.net/xforce/xfdb/61687
[6] http://www.securelist.com/en/advisories/41305
Changelog
[08.09.2010] - Initial release
[09.09.2010] - Added reference [4]
[10.09.2010] - Added reference [5]
[13.09.2010] - Added reference [6]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk