OSVDB 120807 NetCat CMS 3.12 HTML Injection Web Security Vulnerabilities
Exploit Title: NetCat CMS 3.12 /catalog/search.php? q Parameter HTML Injection Web Security Vulnerabilities
Product: NetCat CMS (Content Management System)
Vendor: NetCat
Vulnerable Versions: 3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1
Tested Version: 3.12
Advisory Publication: April 15, 2015
Latest Update: April 15, 2015
Vulnerability Type: Improper Input Validation [CWE-20]
CVE Reference: *
OSVDB Reference: 120807
CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized modification
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized modification
Discover and Reporter: Wang
Jing, Division of Mathematical Sciences (MAS), School of Physical and
Mathematical Sciences (SPMS), Nanyang Technological University (NTU),
Singapore. (@justqdjing)
Advisory Details:
(1) Vendor & Product Description:
Vendor:
NetCat
Product & Vulnerable Version:
NetCat
3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1
Vendor URL & Download:
NetCat can be downloaded from here,
Product Introduction Overview:
NetCat.ru
is russian local company. "NetCat designed to create an absolute
majority of the types of sites: from simple "business card" with a
minimum content to complex web-based systems, from corporate offices to
online stores, libraries or media data - in other words, projects
completely different directions and at any level of complexity. View
examples of sites running on NetCat CMS can be in a special section."
"Manage
the site on the basis of NetCat can even inexperienced user, because it
does not require knowledge of Internet technologies, programming and
markup languages. NetCat constantly improving, adds new features. In the
process of finalizing necessarily take into account the wishes of our
partners and clients, as well as trends in Internet development. More
than 2,000 studios and private web developers have chosen for their
projects is NetCat, and in 2013 sites, successfully working on our CMS,
created more than 18,000."
(2) Vulnerability Details:
NetCat
web application has a computer security bug problem. It can be
exploited by HTML Injection attacks. Hypertext Markup Language (HTML)
injection, also sometimes referred to as virtual defacement, is an
attack on a user made possible by an injection vulnerability in a web
application. When an application does not properly handle user supplied
data, an attacker can supply valid HTML, typically via a parameter
value, and inject their own content into the page. This attack is
typically used in conjunction with some form of social engineering, as
the attack is exploiting a code-based vulnerability and a user's trust.
Several
NetCat products 0-day vulnerabilities have been found by some other bug
hunter researchers before. NetCat has patched some of them. Web
Security Watch is an aggregator of security reports coming from various
sources. It aims to provide a single point of tracking for all publicly
disclosed security issues that matter. "Its unique tagging system
enables you to see a relevant set of tags associated with each security
alert for a quick overview of the affected products. What's more, you
can now subscribe to an RSS feed containing the specific tags that you
are interested in - you will then only receive alerts related to those
tags." It has published suggestions, advisories, solutions details
related to cyber security vulnerabilities.
(2.1) The programming code flaw occurs at "/catalog/search.php?" page with "&q" parameter.
Related Articles:
No comments:
Post a Comment