After I informed developers in August about multiple vulnerabilities in In-Portal CMS and they answered they would fix them soon (so wait for disclosure of the first vulnerabilities), I found a new hole in this CMS at their official site.
This is Cross-Site Scripting vulnerability in In-Portal CMS. Besides tens millions of vulnerable web sites with affected flash files and vulnerable multiple plugins for different engines, there are a lot of other vulnerable plugins and themes - even five years since my original advisory. This time it's a theme for In-Portal CMS.
This XSS is similar to XSS vulnerability in WP-Cumulus, which I've disclosed in 2009 (http://securityvulns.com/Wdoc
-------------------------
Affected products:
-------------------------
Vulnerable are all versions of In-Portal CMS with this theme. There can be other vulnerable themes for this CMS.
----------
Details:
----------
Cross-Site Scripting (WASC-08):
http://site/themes/theme_name/
XSS at official site of In-Portal CMS:
http://www.in-portal.com/theme
Code will execute after click. It's strictly social XSS (http://websecurity.com.ua/547
I mentioned this vulnerability on my site (http://websecurity.com.ua/731
Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
This is Cross-Site Scripting vulnerability in In-Portal CMS. Besides tens millions of vulnerable web sites with affected flash files and vulnerable multiple plugins for different engines, there are a lot of other vulnerable plugins and themes - even five years since my original advisory. This time it's a theme for In-Portal CMS.
This XSS is similar to XSS vulnerability in WP-Cumulus, which I've disclosed in 2009 (http://securityvulns.com/Wdoc
-------------------------
Affected products:
-------------------------
Vulnerable are all versions of In-Portal CMS with this theme. There can be other vulnerable themes for this CMS.
----------
Details:
----------
Cross-Site Scripting (WASC-08):
http://site/themes/theme_name/
XSS at official site of In-Portal CMS:
http://www.in-portal.com/theme
Code will execute after click. It's strictly social XSS (http://websecurity.com.ua/547
I mentioned this vulnerability on my site (http://websecurity.com.ua/731
Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information