PyroCMS 2.1.1 CRLF Injection And Stored XSS Vulnerability

Title: PyroCMS 2.1.1 CRLF Injection And Stored XSS Vulnerability
Advisory ID: ZSL-2012-5092
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 04.06.2012
Summary
PyroCMS is a CMS built using the CodeIgniter PHP framework. Using an MVC architecture it was built with modularity in mind. Lightweight, themeable and dynamic.
Description
PyroCMS suffers from a stored XSS and HTTP Response Splitting vulnerability when parsing user input to the 'title' and 'redirect_to' parameters via POST method thru 'index.php' script. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user's browser session or insert arbitrary HTTP headers, which are included in a response sent to the user.
Vendor
HappyNinjas Ltd - http://www.pyrocms.com
Affected Version
2.1.1 (Community)
Tested On
Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.21
PHP 5.3.8
MySQL 5.5.20
Vendor Status
[20.05.2012] Vulnerabilities discovered.
[20.05.2012] Initial contact with the vendor.
[20.05.2012] Vendor responds asking more details.
[20.05.2012] Sent detailed information to the vendor.
[21.05.2012] Vendor confirms the issues.
[22.05.2012] Asked vendor for status update.
[27.05.2012] Vendor replies.
[03.06.2012] Vendor releases version 2.1.2 to address these issues.
[04.06.2012] Coordinated public security advisory released.
PoC
pyrocms_xss.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.pyrocms.com/blog/2012/06/security-update-2-0-4-and-2-1-2
[2] http://docs.pyrocms.com/2.1/manual/index.php/general/about/changelog
[3] https://github.com/pyrocms/pyrocms/commit/c9cf2df4f8c31041e721bea889f96427b5a2de34
[4] https://github.com/pyrocms/pyrocms/commit/e9e7eed692b39b3c280dc011112ccb5508655dc2
[5] http://cxsecurity.com/issue/WLB-2012060023
[6] http://packetstormsecurity.org/files/113269
[7] http://www.exploit-db.com/exploits/18985
[8] http://www.securityfocus.com/bid/53782
[9] http://osvdb.org/show/osvdb/82626
[10] http://osvdb.org/show/osvdb/82636
[11] http://xforce.iss.net/xforce/xfdb/76075
[12] http://www.securiteam.com/securitynews/5GP3B2K7FC.html
Changelog
[04.06.2012] - Initial release
[05.06.2012] - Added reference [5], [6], [7] and [8]
[07.06.2012] - Added reference [9], [10] and [11]
[28.06.2012] - Added reference [12]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk