Balero CMS v0.7.2 Multiple JS/HTML Injection Vulnerabilities
Title: Balero CMS v0.7.2 Multiple JS/HTML Injection Vulnerabilities
Advisory ID: ZSL-2015-5239
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 07.04.2015
PHP 5.6.3
MySQL 5.6.21
[13.03.2015] Contact with the vendor.
[13.03.2015] Vendor responds asking more details.
[14.03.2015] Sent details to the vendor.
[15.03.2015] Vendor confirms issues, working on fix.
[15.03.2015] Vendor schedules patch release date.
[03.04.2015] Asked vendor for status update.
[03.04.2015] Vendor finishing core update, preparing patch.
[05.04.2015] Vendor releases version 0.8.3 to address these issues.
[07.04.2015] Coordinated public security advisory released.
[2] http://www.balerocms.com/blog/main/id-193
[3] https://github.com/neblina-software/balerocms-src/releases
[4] http://packetstormsecurity.com/files/131324
[5] http://cxsecurity.com/issue/WLB-2015040044
[6] https://exchange.xforce.ibmcloud.com/vulnerabilities/102061
[7] http://www.exploit-db.com/exploits/36676/
[8] http://osvdb.org/show/osvdb/120381
[08.04.2015] - Added reference [4], [5], [6] and [7]
[09.04.2015] - Added reference [8]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2015-5239
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 07.04.2015
Summary
Balero CMS is an open source project that can help you manage the page of your company with just a few guided steps, minimizing the costs that many companies make to have your advertising medium and/or portal.Description
Input passed to the 'content' POST parameter and the cookie 'counter' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.Vendor
BaleroCMS Software - http://www.balerocms.comAffected Version
0.7.2Tested On
Apache 2.4.10 (Win32)PHP 5.6.3
MySQL 5.6.21
Vendor Status
[04.03.2015] Vulnerabilities discovered.[13.03.2015] Contact with the vendor.
[13.03.2015] Vendor responds asking more details.
[14.03.2015] Sent details to the vendor.
[15.03.2015] Vendor confirms issues, working on fix.
[15.03.2015] Vendor schedules patch release date.
[03.04.2015] Asked vendor for status update.
[03.04.2015] Vendor finishing core update, preparing patch.
[05.04.2015] Vendor releases version 0.8.3 to address these issues.
[07.04.2015] Coordinated public security advisory released.
PoC
balerocms_xss.htmlCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://www.balerocms.com/blog/main/id-190[2] http://www.balerocms.com/blog/main/id-193
[3] https://github.com/neblina-software/balerocms-src/releases
[4] http://packetstormsecurity.com/files/131324
[5] http://cxsecurity.com/issue/WLB-2015040044
[6] https://exchange.xforce.ibmcloud.com/vulnerabilities/102061
[7] http://www.exploit-db.com/exploits/36676/
[8] http://osvdb.org/show/osvdb/120381
Changelog
[07.04.2015] - Initial release[08.04.2015] - Added reference [4], [5], [6] and [7]
[09.04.2015] - Added reference [8]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk