[CS-2464] XSS Vulnerability in front-end search - Sourcefabric Development Platform

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.5.0
Component/s: Security
Security Level: Everyone
Labels:
None

Description

This is from security company:

# Ariko-Security: Security Audits , Audyt bezpieczeństwa
# Advisory: 751/2010

============ { Ariko-Security - Advisory #1/12/2010 } =============

Campsite CMS XSS vulnerability

Vendor's Description of Software and demo:
# http://www.sourcefabric.org/ , http://campsite-demo.sourcefabric.org/en/

Dork:
# N/A

Application Info:
# Campsite CMS
# version last 3.4.3, 3.5.0-rc1

Vulnerability Info:
# Type: XSS

Time Table:
# 10/10/2010 - Vendor notified.
# 20/12/2010 - Release Date.

XSS:

# Input passed to the dumy parameter in http://[Site]/en/index.htm is not properly
sanitised before being returned to the user.

Sample:
# http://site/en/index.htm

POST: tpl=169&f_search_keywords=guest1&f_search_articles=Search&%3E%27%22%3E%3Cscript%3Ealert%2890209%29%3C%2Fscript%3E=123

Solution:
# Input validation should be corrected.

Credit:
# Discoverd By: Ariko-Security 2010

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Paul added a comment - 14/Jan/11 12:40 AM

Ofir, please confirm.

Show

Paul added a comment - 14/Jan/11 12:40 AM Ofir, please confirm.

Hide

Permalink

Ofir Gal added a comment - 28/Jan/11 9:39 PM

Validated

Show

Ofir Gal added a comment - 28/Jan/11 9:39 PM Validated

People

Assignee:

Ofir Gal

Reporter:

Paul

Implemented by:

Holman Romero

Votes:

0 Vote for this issue

Watchers:

0 Start watching this issue

Dates

Created:

14/Jan/11 12:40 AM

Updated:

28/Jan/11 9:39 PM

Resolved:

28/Jan/11 10:16 AM

Time Tracking

Estimated:

Remaining:

Logged:

30m

Agile

View on Board