← Advisories

Family Connections CMS 2.3.2 (POST) Stored XSS And XML Injection

Medium

Advisory ID

ZSL-2011-5004

Release Date

25 March 2011

Vendor

Ryan Haudenschilt - http://www.familycms.com

Affected Version

2.3.2

CVE

N/A

Tested On

Tested on: Microsoft Windows XP Professional SP3 (EN), Apache 2.2.14 (Win32), PHP 5.3.1, MySQL 5.1.41

Summary

Family Connections is an open source content management system. It makes creating a private, family website easy and fun.

Description

FCMS suffers from a stored XSS vulnerability (post-auth) in messageboard.php script thru the 'subject' post parameter. XML Inj. lies in the /inc/getChat.php script with 'users' get parameter with no args, and post parameter 'message'.

/inc/getChat.php
----------------
// New Chat text
if (isset($_POST['message']) && $_POST['message'] != '') {
    $sql = "INSERT INTO fcms_chat_messages(chat_id, user_id, user_name, message, post_time)
            VALUES (1, " . cleanInput($_POST['user_id']) . ", '" . cleanInput($_POST['name']) .  "', '" . cleanInput($_POST['message']) . "', NOW())";
...
//Create the XML response.
$xml = '<?xml version="1.0" ?><root>';
// Get Users Online
if (isset($_GET['users']))
     // Timezone stuff
     $sql = "SELECT `timezone` FROM `fcms_user_settings` WHERE `user` = ".cleanInput($_GET['user_id']);
...
$xml .= '<text>' . htmlspecialchars($message_array['message']) . '</text>';

Proof of Concept

fccms_xml.htmlTXT

Disclosure Timeline

N/A

Credits

Vulnerability discovered by Gjoko Krstic
High five to Michael Brooks

References

[1]http://packetstormsecurity.org/files/99734

[2]http://www.securityfocus.com/bid/47037

[3]http://www.securityfocus.com/bid/47038

[4]http://www.exploit-db.com/exploits/17050/

[5]http://securityreason.com/wlb_show/WLB-2011030110