← Advisories

ImpressPages CMS v3.6 Multiple XSS/SQLi Vulnerabilities

Medium
Advisory ID
ZSL-2013-5157
Release Date
31 October 2013
Vendor
ImpressPages UAB - http://www.impresspages.org
Affected Version
3.6
CVE
N/A
Tested On
Microsoft Windows 7 Ultimate SP1 (EN), Apache 2.4.2 (Win32), PHP 5.4.7, MySQL 5.5.25a
Summary

ImpressPages CMS is an open source web content management system with revolutionary drag & drop interface.

Description

Input passed via several parameters is not properly sanitized before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and HTML/script code in a user's browser session in context of an affected site.

Proof of Concept
impresspages_sqlixss.txtTXT
Disclosure Timeline
12.10.2013Vulnerabilities discovered.
20.10.2013Contact with the vendor.
20.10.2013Vendor responds asking more details.
22.10.2013Sent details to the vendor.
22.10.2013Vendor working on reported issues.
22.10.2013Asked vendor for estimated timeframe for developing patches.
24.10.2013Vendor confirms the issues promising fix.
29.10.2013Vendor releases version 3.7 to address these issues.
31.10.2013Coordinated public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://www.impresspages.org/blog/impresspages-cms-3-7-is-mobile-as-never-before/
[2]http://www.securityfocus.com/bid/63459
[3]http://packetstormsecurity.com/files/123871
[4]http://cxsecurity.com/issue/WLB-2013110002
[5]http://www.osvdb.org/show/osvdb/99220
[6]http://www.osvdb.org/show/osvdb/99221
[7]http://www.osvdb.org/show/osvdb/99223
[8]http://secunia.com/advisories/55303
[9]http://secunia.com/advisories/55505
[10]http://www.exploit-db.com/exploits/29318/
[11]http://xforce.iss.net/xforce/xfdb/88459
Changelog
31.10.2013Initial release
01.11.2013Added reference [3], [4], [5], [6] and [7]
04.11.2013Added reference [8] and [9]
15.11.2013Added reference [10] and [11]