← Advisories

Windu CMS 2.2 Multiple Persistent Cross-Site Scripting Vulnerabilities

Medium

Advisory ID

ZSL-2013-5148

Release Date

24 July 2013

Vendor

Adam Czajkowski - http://www.windu.org

Affected Version

2.2 rev 1430

CVE

N/A

Tested On

Microsoft Windows 7 Ultimate SP1 (EN), Apache 2.4.2 (Win32), PHP 5.4.7, MySQL 5.5.25a

Summary

Windu CMS is a simple, lightweight and fun-to-use website content management software.

Description

Multiple stored XSS vulnerabilities exist when parsing user input to the 'name' and 'username' POST parameters. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user's browser session.

Proof of Concept

winducms_xss.htmlTXT

Disclosure Timeline

21.07.2013Vulnerabilities discovered.

23.07.2013Contact with the vendor.

24.07.2013No reply from the vendor.

24.07.2013Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]http://www.securityfocus.com/bid/61428

[2]http://cxsecurity.com/issue/WLB-2013070188

[3]http://packetstormsecurity.com/files/122537

[4]http://www.exploit-db.com/exploits/27128/

[5]http://xforce.iss.net/xforce/xfdb/85976

Changelog

24.07.2013Initial release

25.07.2013Added reference [2] and [3]

28.07.2013Added reference [4]

29.07.2013Added reference [5]