Netautor Professional 5.5.0 (goback) XSS Vulnerability

Title: Netautor Professional 5.5.0 (goback) XSS Vulnerability
Advisory ID: ZSL-2010-4964
Type: Remote
Impact: Cross-Site Scripting
Risk: (2/5)
Release Date: 17.09.2010
Summary
Netautor Professional is an application server and development environment. Netautor Professional was developed to serve the practical needs of users, and was continuously advanced.
--
Digital Workroom is a well proven and time-tested Content Management System. It`s based on also digiconcept`s developed Application Server "Netautor Professional" and PHP 5. The standard functional range covers the majoritarian needs on Internet- and Intranet environments for publication and communication.
Description
Netautor Professional v5.5.0 suffers from a XSS vulnerability because input passed via the "goback" parameter to login2.php script is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

--------------------------------------------------------------------------------

[FILE] :: [LINE#] :: [STRING]

\ROOT\digitalworkroom\exports\DW_5.3\mlayouts_262527331.xml :: 532 :: unset($GLOBALS['goback']);
\ROOT\digitalworkroom\exports\DW_5.3\mlayouts_262527331.xml :: 536 :: if(!empty($GLOBALS['goback'])) $values['USER_TARGET'][0] = $GLOBALS['goback'];
\ROOT\digitalworkroom\exports\DW_5.3\mlayouts_262527331.xml :: 575 :: /* Auf GLOBALS['goback'] von NPF_SECURE reagieren*/
\ROOT\digitalworkroom\exports\DW_5.3\mlayouts_262527331.xml :: 661 :: <?php if (empty( $GLOBALS['goback'])): ?>
\ROOT\netautor\napro4\home\login2.msk :: 49 :: <input type="hidden" name="goback" value="<?php echo($goback); ?>" >
\ROOT\netautor\napro4\home\login2.php :: 38 :: if(empty($goback)) $goback = $USER->get_feature_value('initial_doc');
\ROOT\netautor\napro4\include\functions\users.fnc :: 822 :: if (!strpos($url,'&goback=')) $url.='&goback='.rawurlencode($PHP_SELF);
\ROOT\netautor\napro4\include\npf_lib\npf_special.fnc :: 155 :: $redirect.=( strpos($redirect,'?') ? '&' : '?' ).'goback='.rawurlencode( $REQUEST_URI );

--------------------------------------------------------------------------------

Vendor
/digiconcept/ - http://www.digiconcept.net
Affected Version
Netautor Professional 5.5.0
Digital Workroom 5.3.1
Tested On
Microsoft Windows XP Professional SP3 (EN)
PHP 5.3.0
MySQL 5.1.36
Apache 2.2.11 (Win32)
Vendor Status
[14.09.2010] Vulnerability discovered.
[15.09.2010] Contact with the vendor.
[17.09.2010] No reply from vendor.
[17.09.2010] Public advisory released.
PoC
napro_xss.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.packetstormsecurity.org/filedesc/ZSL-2010-4964.txt.html
[2] http://securityreason.com/wlb_show/WLB-2010090084
[3] http://www.securityfocus.com/bid/43290
[4] http://secunia.com/advisories/41475
[5] http://osvdb.org/show/osvdb/68128
[6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3489
Changelog
[17.09.2010] - Initial release
[18.09.2010] - Added reference [2] and [3]
[21.09.2010] - Added reference [4]
[22.09.2010] - Added reference [5]
[28.09.2010] - Added reference [6]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk