Nuggetz Admin Interface Cross Site Request Forgery Vulnerability


Description   A vulnerability has been identified in Nuggetz, which could be exploited to conduct cross-site request forgery attacks. This issue is caused due to input validation errors in the administrative interface when processing HTTP requests, which could be exploited by attackers to manipulate certain data (e.g. insert data to ".nuggetz" files) by tricking an administrator into visiting a malicious web page.
     
Vulnerable Products   Vulnerable Software:
Nuggetz version 1.0.2 and prior
     
Solution   Upgrade to Nuggetz version 1.0.3 : http://www.nuggetz.co.uk/nuggetz_v1.0.3.zip
     
CVE  
     
References   http://www.nuggetz.co.uk/versionhistory.htm
http://www.htbridge.ch/advisory/xss_vulnerability_in_nuggetz_cms.html
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
XSS - Prevention - POST : suspicious tag with event found in data
3.2.0
XSS - Prevention - POST : suspicious 'object' tag found in data
3.2.0
XSS - Prevention - POST : suspicious 'applet' tag found in data
3.2.0
XSS - Prevention - POST : 'location' javascript object found in data
3.2.0
XSS - Prevention - POST : javascript code found in data
3.2.0
XSS - Prevention - POST : suspicious 'iframe' tag found in data
3.2.0
XSS - Prevention - POST : code allowing cookie access found in data
3.2.0
XSS - Prevention - POST : suspicious 'embed' tag found in data
3.2.0
XSS - Prevention - POST : suspicious 'style' tag found in data
3.2.0
XSS - Prevention - POST : suspicious 'div' tag found in data
3.2.0
XSS - Prevention - POST : 'script' tag found in data
3.2.0
XSS - Prevention - POST : suspicious 'style' attribute found in data
3.2.0
     


 
 
 
 
 Risk level 
Low 

 Vulnerability First Public Report Date 
2010-06-08 

 Target Type 
Client 

 Possible exploit 
Local & Remote