redaxscript 2.5.0: XSS
Date: 2015-12-02 10:49:211. Introduction
| Affected Product: | redaxscript 2.5.0 |
| Fixed in: | 2.6.1 |
| Fixed Version Link: | http://redaxscript.com/files/releases/redaxscript_2.6.1_full.zip |
| Vendor Contact: | info@redaxmedia.com |
| Vulnerability Type: | XSS |
| Remote Exploitable: | Yes |
| Reported to vendor: | 10/02/2015 |
| Disclosed to public: | 12/02/2015 |
| Release mode: | Coordinated release |
| CVE: | n/a |
| Credits | Tim Coen of Curesec GmbH |
2. Overview
CVSS
Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Description
There is a persistent XSS vulnerability when leaving comments. It requires the admin to hover over a link to trigger the injected code.
This issue can lead to the injection of JavaScript keyloggers, or the bypassing of CSRF protection. In this case, this may lead to code execution.
The issue has been partially fixed in version 2.6.0. However, it was still possible to inject a style attribute, making XSS in older browsers possible. This has been fixed in version 2.6.1.
3. Proof of Concept
1. Create a comment, as comment text use:
comment" onmouseover=alert(1) foo="
2. In the sidebar, hover over the comment to trigger the XSS.
4. Solution
To mitigate this issue please upgrade at least to version 2.6.1:
http://redaxscript.com/files/releases/redaxscript_2.6.1_full.zip
Please note that a newer version might already be available.
5. Report Timeline
| 10/02/2015 | Informed Vendor about Issue |
| 11/15/2015 | Vendor releases partial fix |
| 11/24/2015 | Informed vendor that fix is incomplete |
| 11/25/2015 | Vendor releases fix |
| 12/02/2015 | Disclosed to public |