[Full-Disclosure] XSS in Synkron.web CMS
b240503 at gyrniff.dk
Fri Jun 6 09:58:51 BST 2003
Release Date: 06.06.2003
Application: Synkron.web 3
Vendor Status: Absend
Author: Torben 'Gyrniff' Frohn
Synkron.web 3 is a module based CMS running on IIS.
"Ever since 1997, it has been Synkron's mission to help companies manage on
their own when setting up a presence on the Internet. To achieve this,
Synkron has developed a so-called "Web content management" system, which
everyone with a user-level knowledge of IT can learn to use in less than a
single day." (quote from vendor site.)
The search module do not html encode incoming special characters in the
output. It is not an easy task to exploit because of the POST method used in
the search, but synkron .web have a caching that could be used in an exploit.
Proof of Concept
First visit the search page:
Then search for:
Finally visit the cached page:
N/A, but http://www.synkron.com/ contain links to vulnerable sites.
Unknown but probably fixed in version 3.5.
Vulnerability found by Torben Frohn (Gyrniff)
Full-Disclosure is hosted and sponsored by Secunia.