Bitweaver Cross-Site Scripting
Class: Cross-Site Scripting & SQL
Vendor: http://www.bitweaver.org/
Product: Bitweaver
Version: 2.0.0 & Previous
\lsces - Fixed in later versions
Examples:
(:exclaim:) A suitable example of that was used to test would be nice ... <script>alert('hi!');</script> is being used for test purposes.
/users/register.php/XSS
(:arrow:)http://bitweaver.org/users/register.php/<script>alert('hi!');</script>
/search/index.php/XSS
(:arrow:)[http://medw.co.uk/search/index.php/<script>alert('hi!');</script>
( Search is not used in bw.o - ilike and lucene are alternative search options)
/users/login.php?error=XSS
(:arrow:)http://www.bitweaver.org/users/register.php/<script>alert('hi!');</script>
Persistent XSS:
If comments are allowed, attackers can use this url /wiki/index.php?page_id=1#editcomments
to POST evil scripts and PHP code into the page. Sanitizing the input will prevent intrusion.
Also we see that on forums there is the same issue: (NEED TO SANITIZE THE INPUT)
/forums/index.php?t=1&post_comment_reply_id=1&post_comment_request=1#editcomments
See attached comment below - but we also need to demonstrate on on alternate site configurations
White Screen of Death: (SQL Injection)
Critical information is listed o nthis page when you inject evil code.
Some work if you inject JavaScript Code into the Search box and some show
this page by following url: /wiki/list_pages.php?sort_mode='
White Screen of Death: should only be ENABLED while testing a site. Live sites should give a more suitable output.
(:arrow:)http://www.bitweaver.org//wiki/list_pages.php?sort_mode='
Putting a ' in search on http://medw.co.uk/search/index.php/ is also safe.
By Search:
/search/index.php?tk=316dccdfb62a3cad613e&highlight=SQL_INJECTION=&search=go
SQL_INJECTION has been addressed, but is more difficult to test, since it can also be dependent on database engine being used. The above example would fail anyway since it is highly unlikely that the ticket would be valid.
Google Dork: Powered by bitweaver
Vendor: http://www.bitweaver.org/
Product: Bitweaver
Version: 2.0.0 & Previous
\lsces - Fixed in later versions
Examples:
(:exclaim:) A suitable example of that was used to test would be nice ... <script>alert('hi!');</script> is being used for test purposes.
/users/register.php/XSS
(:arrow:)http://bitweaver.org/users/register.php/<script>alert('hi!');</script>
/search/index.php/XSS
(:arrow:)[http://medw.co.uk/search/index.php/<script>alert('hi!');</script>
( Search is not used in bw.o - ilike and lucene are alternative search options)
/users/login.php?error=XSS
(:arrow:)http://www.bitweaver.org/users/register.php/<script>alert('hi!');</script>
Persistent XSS:
If comments are allowed, attackers can use this url /wiki/index.php?page_id=1#editcomments
to POST evil scripts and PHP code into the page. Sanitizing the input will prevent intrusion.
Also we see that on forums there is the same issue: (NEED TO SANITIZE THE INPUT)
/forums/index.php?t=1&post_comment_reply_id=1&post_comment_request=1#editcomments
See attached comment below - but we also need to demonstrate on on alternate site configurations
White Screen of Death: (SQL Injection)
Critical information is listed o nthis page when you inject evil code.
Some work if you inject JavaScript Code into the Search box and some show
this page by following url: /wiki/list_pages.php?sort_mode='
White Screen of Death: should only be ENABLED while testing a site. Live sites should give a more suitable output.
(:arrow:)http://www.bitweaver.org//wiki/list_pages.php?sort_mode='
Putting a ' in search on http://medw.co.uk/search/index.php/ is also safe.
By Search:
/search/index.php?tk=316dccdfb62a3cad613e&highlight=SQL_INJECTION=&search=go
SQL_INJECTION has been addressed, but is more difficult to test, since it can also be dependent on database engine being used. The above example would fail anyway since it is highly unlikely that the ticket would be valid.
Google Dork: Powered by bitweaver
Comments
It's about...
Largely it seem to be related to ways of injecting code through "sloppy" checking of POST data (their words, not mine:-) etc.
Since this is very public... and at least claimed to be affecting R2, you should take it seriously... If you haven't already:-).
Cheers
-- Glenn
Re: It's about...
Testing aligation about comment xss vunerability
<script>alert('hi!');</script> should not be allowed and should be processed simply as text which it is in preview, and when posted