Multiple Vulnerabilities in brainsquad-team's CMS ================================================= Discovered on 23.12.2005 by yorn. Merry Christmas! Description: ------------ www.brainsquad-team.de The CMS from brainsquad-team is a php / sql based CMS system. Problems: -------- XSS: There are multiple XSS vulnerabilities in the CMS. First of all, the "Interests" field in the User Profile is vulnerable. Injecting of script code is possible and cookie theft has been performed by viewing a profile. There is a problem with the svar variable, too. POC: Insert "> into the Interests field and save it. View your profile, enjoy your clear text cookie. svar POC: index.php?svar=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E UPDATE: The CMS Koobi - Portalsystem seems to be vulnerable for this issue, too. But as cookie passwords are encrytped, this wont be too bad. Clear Text Passwords: The Passwords are NOT encrypted, therefore a cookie theft is quite effective. Possible SQL injection: Some variables seems to be affected by a SQL Problem. POC: index.php?svar=3&set_id=%22&mode=7&language=×tamp= Path disclosure: Crafting a malformed URL results in path disclosure. POC: See above. Vendor Status: -------------- Vendor has been informed on the date of discovery. Not patched yet.