← Advisories

Pacer Edition CMS 2.1 Remote XSS POST Injection Vulnerability

Medium

Advisory ID

ZSL-2011-5018

Release Date

09 June 2011

Vendor

The Pacer Edition - http://www.thepaceredition.com

Affected Version

RC 2.1 (SVN: 867)

CVE

N/A

Tested On

Microsoft Windows XP Professional SP3 (EN), Apache 2.2.14 (Win32), PHP 5.3.1, MySQL 5.1.41

Summary

The 'Pacer Edition' is a Content Management System(CMS) written using PHP 5.2.9 as a minimum requirement. The Pacer Edition CMS was based from Website baker core and has been completely redesigned with a whole new look and feel along with many new advanced features to allow you to build sites exactly how you want and make them, 100% yours!

Description

Pacer Edition CMS suffers from a XSS vulnerability when parsing user input to the 'email' parameter via POST method in 'admin/login/forgot/index.php'. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.

/admin/login/forgot/index.php
----------------
if(isset($_POST['email']) AND $_POST['email'] != "") {

	$email = $_POST['email'];

	// Check if the email exists in the database
	$query = "SELECT user_id,username,display_name,email,last_reset,password FROM ".TABLE_PREFIX."users WHERE email = '".$admin->add_slashes($_POST['email'])."'";
	$results = $database->query($query);

Proof of Concept

pacercms_xss.htmlTXT

Disclosure Timeline

N/A

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]http://packetstormsecurity.org/files/102140

[2]http://securityreason.com/wlb_show/WLB-2011060036

[3]http://xforce.iss.net/xforce/xfdb/67975

[4]http://www.securityfocus.com/bid/48215

Changelog

09.06.2011Initial release

10.06.2011Added reference [2]

11.06.2011Added reference [3] and [4]