Siteframe Beaumont 5.0.1a <== Cross-Site Scripting Vulnerability ########################## Information of Software: Software: Siteframe Beaumont 5.0.1a Site: http://www.siteframe.org/ Description of software: Siteframe is a lightweight content-management system designed for the rapid deployment of community-based websites. With Siteframe,a group of users can share stories and photographs, create blogs, send email to one another, and participate in group activities. ########################## Bug: Siteframe contains a flaw that allows a remote cross site scripting attack. The vulnerability is found in the search page and the user can modify the function GET and insert the XSS code. - http get request http://[target]/search.php?q=casa GET /search.php?q=casa Host: siteframe.org User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it-IT; rv:1.7.12) Gecko/20050919 Firefox/1.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: it,it-it;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive but we can modify the request GET in this way: http://[target]/search.php?q=[XSS] GET /search.php?q=[XSS] ------------------------- Example: http://[target]/search.php?q=[XSS] or a practical example: http://[target]/search.php?q= ------------------------- The bug is in this part of code of search.php : [.....] if (isset($_GET['q'])) { $PAGE->assign('page_title', lang('page_title_search_results')); $pattern = $_GET['q']; $PAGE->assign('search_string', $_GET['q']); // build query $stext = new SearchText; $q = sprintf( $__QUERY, addslashes($_GET['q']), $stext->table_name(), addslashes($_GET['q']) ); $PAGE->assign('sql_query', $q); [.....] ########################## Credit: Autor: Kiki e-mail: federico.sana@alice.it web page: http://www.kiki91.altervista.org ##########################