. . .
._ | _. .|_ _. _.;_/
[_)|(_]\_|[ )(_](_.| \.net
"SineCms Version 2.3.4 - Non-Persistent XSS Vulnerability"
Date : 2007-04-26 (ISO 8601)
Product : SineCms
Version : 2.3.4 (last), prior versions may also be affected
Vendor : http://sourceforge.net/projects/sine - http://www.sinecms.net
Vendor Status : 2007-04-26 - Informed!
Description : SineCms is a management software for international communication
based on hypertext.
Google Dork : "SineCms Version: 2.3.4"
Source : nexus
E-mail : nexus[at]playhack[dot]net
Team : Playhack.net Security
2) Security Issues
The core module for Search engine is affected by a Non-Persistent Cross-Site Scripting
The source in "mods/Core/result.php" doesn't properly sanitize the input of the user
and just get the submitted text without any previous check on the content.
The affected variable is $_GET['stringa'], as a matter of fact if we try to insert a
The website will retrieve an url like:
The script makes only a check on apex, that can be simply avoided executing for
example a remote script like
It's easy to guess that this kind of vulnerability can be used to accomplish some
Phishing attacks, or whatever can be disfruted from an XSS flaw.
Edit the core source code and sanitize properly the inputted data.