SNS Vulnerability

Twilight CMS Cross-Site Scripting and Arbitrary File Disclosure Vulnerabilities

Description

High-Tech Bridge has discovered two vulnerabilities in Twilight CMS, which can be exploited by malicious people to conduct cross-site scripting attacks and disclose certain sensitive information.
1) Input appended to the URL after /gallery/ is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
2) Input passed via the URL to the application is not properly validated before being used to read files. This can be exploited to disclose contents of arbitrary files.
The vulnerabilities are confirmed in version 5.17 of Russian and English versions. Other versions may also be affected.

Vulnerable Products

Vulnerable Software:
Twilight CMS 5.x

Solution

No official solution is currently available. Update the Russian version to version 5.24, which fixes the vulnerability #1.

CVE

References

High-Tech Bridge:
https://www.htbridge.com/advisory/HTB23167
https://www.htbridge.com/advisory/HTB23166

Vulnerability Manager Detection

IPS Protection

ASQ Engine alarm	Available Since
XSS - Prevention - GET : suspicious 'iframe' tag found in URL	3.2.0
XSS - Prevention - GET : suspicious 'meta' tag found in URL	3.2.0
Misc : Directory traversal - parameter starting with ../	3.2.0
XSS - Prevention - GET : suspicious tag with event found in URL	3.2.0
XSS - Prevention - GET : suspicious 'applet' tag found in URL	3.2.0
Directory traversal using ..\..	3.2.0
XSS - Phishing : suspicious 'div' tag found in URL	3.2.0
XSS - Prevention - GET : suspicious 'style' attribute found in URL	3.2.0
XSS - Prevention - GET : suspicious 'img' tag found in URL	3.2.0
Directory traversal	3.2.0
XSS - Phishing : suspicious 'a' tag found in URL	3.2.0
XSS - Prevention - GET : cookie access attempt using script language found in URL	3.2.0
XSS - Prevention - GET : suspicious 'embed' tag found in URL	3.2.0
XSS - Prevention - GET : suspicious 'object' tag found in URL	3.2.0
XSS - Phishing : suspicious 'form' tag found in URL	3.2.0
XSS - Prevention - GET : javascript code found in URL	3.2.0
XSS - Prevention - GET : evasion attempt using tag characters encoding in URL	3.2.0
Directory traversal backward root folder	3.2.0
XSS - Prevention - GET : suspicious 'style' tag found in URL	3.2.0
XSS - Phishing : suspicious 'link' tag found in URL	3.2.0
XSS - Prevention - GET : 'script' tag found in URL	3.2.0
XSS - Prevention - GET : 'location' javascript object found in URL	3.2.0
XSS - Prevention - GET : suspicious 'div' tag found in URL	3.2.0
SQL injection Prevention - GET : Evasion attempt with CAST and EXEC statements	5.0.0

Risk level

Moderate

Vulnerability First Public Report Date

2013-08-27

Target Type

Server

Possible exploit

Remote