Baby Gekko CMS v1.1.5c Multiple Stored Cross-Site Scripting Vulnerabilities

Title: Baby Gekko CMS v1.1.5c Multiple Stored Cross-Site Scripting Vulnerabilities
Advisory ID: ZSL-2012-5086
Type: Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 02.05.2012
Summary
BabyGekko strives to deliver high quality websites and other web content fast and easy for all end users. It is a lightweight, extensible content management system platform for publishing websites, intranets, or blogs.
Description
Baby Gekko CMS suffers from multiple stored (post-auth) XSS vulnerabilities and path disclosure issues when parsing user input to several parameters via GET and POST method. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session or disclose the full installation path of the affected CMS.

--------------------------------------------------------------------------------

Reflected (Non-Persistent) XSS:

 1. username
 2. password
 3. verification_code
 4. email_address
 5. password_verify
 6. firstname
 7. lastname

Stored (Persistent) XSS:

 8. groupname
 9. virtual_filename
10. branch
11. contact_person
12. street
13. city
14. province
15. postal
16. country
17. tollfree
18. phone
19. fax
20. mobile
21. title
22. meta_key
23. meta_description

--------------------------------------------------------------------------------

Vendor
Baby Gekko, Inc. - http://www.babygekko.com
Affected Version
1.1.5c
Tested On
Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.21
PHP 5.3.9
MySQL 5.5.20
Vendor Status
[05.04.2012] Vulnerabilities discovered.
[05.04.2012] Initial contact with the vendor.
[06.04.2012] Vendor responds asking more details.
[07.04.2012] Sent details to the vendor.
[09.04.2012] Vendor replies confirming the issues.
[10.04.2012] Working with the vendor.
[02.05.2012] Vendor releases patched version 1.2.0 to address these issues.
[02.05.2012] Coordinated public security advisory released.
PoC
babygekko_xss.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
High five to Prana
References
[1] http://www.babygekko.com/site/news/general/baby-gekko-v1-2-0-released-with-3rd-party-independent-security-testing-performed-by-zero-science-lab.html
[2] http://packetstormsecurity.org/files/112425
[3] http://www.exploit-db.com/exploits/18827/
[4] http://cxsecurity.com/issue/WLB-2012050029
[5] http://secunia.com/advisories/49023
[6] http://secunia.com/advisories/49052
[7] http://www.securityfocus.com/bid/53366
[8] http://xforce.iss.net/xforce/xfdb/75357
[9] http://xforce.iss.net/xforce/xfdb/75360
[10] http://xforce.iss.net/xforce/xfdb/75364
[11] http://www.osvdb.org/show/osvdb/81672
[12] http://www.osvdb.org/show/osvdb/81673
[13] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-3836
[14] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-3837
[15] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-3838
Changelog
[02.05.2012] - Initial release
[03.05.2012] - Added reference [2], [3], [4], [5], [6] and [7]
[05.05.2012] - Added reference [8], [9] and [10]
[09.05.2012] - Added reference [11] and [12]
[19.07.2012] - Added reference [13], [14] and [15]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk