Overview -------- PostCalendar is an add-on for the popular PostNuke content management system. It provides a calender that lets users add events to. Problem ------- A user can add an event with unchecked HTML tags in. This includes the <script> tag which allows an attacker to steal cookies, redirect the site and much more. Exploit ------- As a logged in user, enter a bogus calendar entry WITHOUT any html. Hit the preview button. On the screen you get from that, alter your post to contain your favorite javascript in between <script></script> tags. Hit submit. When a user goes to view your event, the javascript will execute. (the calander block is not affected by this, only the main pages). Vendor Status ------------- Vendor notified 19/Apr/2002 21:19 PDT. Initial responce recieved 20 Apr 2002 01:41 PDT (very nice!). Patch sent to me a few hours later. (Yahoo has it's times in PDT, ah well). Cool vendor! Thanks dude! Unsure of next version release, but asked vendor to release patch if nothing else. Asked vendor if I could include patch in advisory - but I think he went to sleep (it was 3:30am his time)...:\ I'll include it anyhow, I'm sure he won't mind :) You might want to check it doesn't break your site though...i will take no responsibilty!!! :) Sign Off -------- Greets to all the nz2600 peeps! Disclaimer: I don't work for the GCSB, ok? :) Thanks, gcsb. __________________________________________________ Do You Yahoo!? Yahoo! Games - play chess, backgammon, pool and more http://games.yahoo.com/
This archive was generated by hypermail 2b30 : Sat Apr 20 2002 - 13:03:57 PDT