[VIM] 25430: Jadu CMS register.php Multiple Variable XSS (fwd)

security curmudgeon jericho at attrition.org
Sat Jun 3 04:19:14 EDT 2006


After replying to this, Suraj agreed that posting to the list would be 
good.

---------- Forwarded message ----------
From: Suraj Kika 
To: security curmudgeon <jericho at attrition.org>
Date: Fri, 2 Jun 2006 15:21:47 +0100
Subject: Re: [OSVDB Mods] [Change Request] 25430: Jadu CMS register.php Multiple
      Variable XSS

Hi Brian

Thanks again for your personal attention here which is really appreciated.

> Bear with me here please =) The more I understand the situation, the more
> I can help out. First, this sounds like you are talking about a script
> that was part of a hosted solution, not a downloaded/sold product. Is that
> true?

Yes indeed - thats true.

To clarify - the 'register.php' is not part of our core Jadu CMS software. The 
CMS itself is purely a back end to any web front end. Many customers share 
scripts and code with each other. Many develop their own code - none of which 
is part of the software.

'register.php' is the generic name of a script that Jadu CMS requires in order 
to facilitate the user database area of the CMS. This is implemented by web 
designers/developers/clients. Its not part of the core Jadu CMS software.

[..]

> Second, I can help with that. There is a mail list where many of the
> vulnerability databases talk and share this type of information. Once I
> get the answer to the question above, I can send all of our dialogue to
> the list so other VDBs can update as well. When I do, I will remove your
> email address (to help prevent spam problems), but leave your name and
> company name for reference.

We do have a concern that posting again would cause another chain-reaction. At 
the moment, if you search Google for 'Jadu CMS' - you will see the damage :( 
Its been very hard for us as we are only  small company. Do you think posting 
again would update the existing advisory posts or create new ones?

If this means that our organic search results become diluted again with more 
security advisory results - im not sure we can take the hit again.

Let me know what you think...

Suraj














On 2 Jun 2006, at 09:31, security curmudgeon wrote:

> 
> Hey Suraj,
> 
> : We had an issue where the input fields on a small number of web
> : interfaces using a version of 'register.php' - a non-generic customised
> : script - which were not correctly validated and hence allowed javascript
> : to be entered. The Jadu CMS database itself is protected from cross site
> : scripts and injection attacks.
> :
> : The issue was reported on Secunia and we found the affected sites and
> : implemented a patch on their behalf. None of the underlying Jadu CMS
> : systems were affected.
> 
> Bear with me here please =) The more I understand the situation, the more
> I can help out. First, this sounds like you are talking about a script
> that was part of a hosted solution, not a downloaded/sold product. Is that
> true?
> 
> : Im trying to contact each advisory - and ask them to update their records.
> 
> Second, I can help with that. There is a mail list where many of the
> vulnerability databases talk and share this type of information. Once I
> get the answer to the question above, I can send all of our dialogue to
> the list so other VDBs can update as well. When I do, I will remove your
> email address (to help prevent spam problems), but leave your name and
> company name for reference.
> 
> : It may be advisable to list the sites affected rather than the product?
> 
> Each of the VDBs operate by product/vendor, not sites running them. If the
> register.php script was part of a hosted solution, or something written
> specific to a web site (even if re-used for a dozen sites), but not
> something sold or offered to other people in any form, then it is
> considered a site-specific issue and doesn't qualify for inclusion in most
> VDBs.
> 
> Brian
> OSVDB.org
>

--
Suraj Kika
CEO

Jadu Limited,
Development Centre: LCB, 31 Rutland Street, Leicester LE1 1RE
Main office: PO Box 2554, Rugby, Warwickshire CV21 4ZE

PLEASE NOTE THAT OUR CONTACT NUMBERS HAVE CHANGED:
T: 0116 253 3423 F: 0116 253 3424

http://www.jadu.co.uk
--
ISO 9001:2000 registered firm GB2001425


More information about the VIM mailing list