20 September, 2011

Toko Lite CMS Multiple XSS POST Injection / CRLF Injection / HTTP Response Splitting

Toko CMS suffers from a XSS vulnerability when parsing user input to the ‘currPath’ and ‘path’ parameters via POST method in ‘editnavbar.php’. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session. Input passed to the ‘charSet’ parameter in ‘edit.php’ is not properly sanitised before being returned to the user. This can be exploited to insert arbitrary HTTP headers, which are included in a response sent to the user.

Advisory ID: ZSL-2011-5047
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5047.php
PoC: http://www.zeroscience.mk/codes/tokocms_xss.txt

Advisory ID: ZSL-2011-5048
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5048.php
PoC: http://www.zeroscience.mk/codes/tokocms_crlf.txt


Ref: http://zeroscience.mk/blog/09/2011/toko-lite-cms-multiple-xss-post-injection-crlf-injection-http-response-splitting/