Tried, Tested and Proven

Security Advisory 07-012 – Fatwire CMS is vulnerable to XSS in multiple locations

Vulnerability Title:

Fatwire CMS is vulnerable to XSS in multiple locations.

Vulnerable System:

Fatwire Corporation Content Server 6.3.0

Vulnerability discovery and development:

Portcullis Security Testing Services

Credit for Discovery:

Andrew Davies of Portcullis Computer Security Ltd discovered this vulnerability.

Affected Systems:

Fatwire Corporation Content Server 6.3 was found to be vulnerable.

Details:

The CMS is vulnerable to XSS in multiple locations, mainly within the search and advanced search functions.

Impact: Low > Moderate. For this vulnerability to be exploited a malicious user must craft a URL that contains the code they wish to execute within the victims browser. Once the attacker has encouraged their victim’s to follow the link the code will execute. This vulnerability can also be used to steal session ID’s stored in cookies and thus potentially gain access to admin accounts.

Example:

Insert the following into any text form field: “<script>alert(‘xss’)</script>”

Vendor Status:

The vendor has been contacted and has advised that the vulnerability has been fixed in the lastest patch release for CS 6.3.

Copyright:

Copyright © Portcullis Computer Security Limited 2007, All rights reserved worldwide.
Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.

Disclaimer:

The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user’s risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.