-######### [Saved] -
[27-07-2008/13:10:02]

.: Multiple Cross-Site Scripting Vulnerabilities in Web Wiz Rich Text Editor version 4.02

.: [Author] CSDT

.: [Affected versions] http://www.webwizguide.com/ - Web Wiz Rich Text Editor (RTE) 4.02

.: [Credit] The disclosure of these issues has been credited to autehoker of CSDT

ч_____________________________________________________________________________________________€

.: [Script Description]

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in

Web Wiz Rich Text Editor (RTE) 4.02 and earlier, and 3.x versions, allow remote attackers

to inject arbitrary web scripting. This flaw exists because the application does not validate

the Link Type ( "Email" ) variables upon submission to the RTE_popup_link.asp script.

This could allow a user to create a specially craftedURL that would execute arbitrary code

in a user's browser within the trust relationship between the browser and the server,

leading to a loss of integrity.

ч_____________________________________________________________________________________________€

.: [Classification]

Attack Type: Input Manipulation

Impact: Loss of Integrity

Fix: N/A Public release vulnz: {27-07-2008 Sun}

Class Input Validation Error

ч_____________________________________________________________________________________________€

.: [Solution]

Upgrade to version 4.03 or higher, as it has been reported to fix this vulnerability.

An upgrade is required as there are no known workarounds.

Actual Version: Web Wiz Rich Text Editor (RTE) 4.02

ч_____________________________________________________________________________________________€

.: [References]

Original Advisory http://depo2.nm.ru/WebWiz_Rich_Text_Editor_v4.02_XSS.txt

Related Depo2 BugTracker: http://depo2.nm.ru/WebWiz_Rich_Text_Editor_v4.02_XSS.txt

ч_____________________________________________________________________________________________€

.: [Manual Testing Notes]

ч

Web Wiz Rich Text Editor version 4.02 // RTE_popup_link.asp

function initialise(){

var selectedRange =

window.opener.document.getElementById('WebWizRTE').contentWindow.window.getSelection().toString();

//Use editor selected range to fill text boxes

if (selectedRange != undefined){

document.getElementById('URL').value = selectedRange

document.getElementById('email').value = selectedRange

}

ч

Select Link Type: Email - {Email value not filtered}

¤ span id="mailLink"

¤ input name="email" onfocus="document.forms.frmLinkInsrt.Submit.disabled=false;

//Line 65 post back If Request.Form("URL") <> "" OR Request.Form("email") <> "" AND Request.Form("postBack")

Then

ч

ч_____________________________________________________________________________________________€

.: [Script Download] {Free lisans: http://www.webwizguide.com/download/download.asp?DL=rte}

.: [XSS] U-Code %3C/textarea%3E'%22%3E%3Cscript%3Ealert('document.cookie')%3C/script%3E

.: [XSS] N-Code </textarea>'"><script>alert(document.cookie)</script> {XSSing.Com - XSS CHEATS Auth.

Depo2}

.: [ScreenShot] http://depo2.co.cc/WebWiz_Rich_Text_Editor_v4.02_XSS.jpg

.: [Demo] http://www.webwizguide.com/webwizrichtexteditor/demo/RTE_popup_link.asp

ч_____________________________________________________________________________________________€

.: [Greetings]

ч

.:[shoutz] L0cKed, Elrohir, xo7, Th3.Azad, Depo2, The_keSsk!N, MadNet, hayalperest, K4R4B3L4

ч ankuN, row3r, LekHe, M3M4T!, Dr.ExPERT, MuR@T, Bigboss, EjDeRx7, Arslan Yabgu, tьrk_ьz, by.s.s,

makmanaman, İsimsizCod3r, hackerali, De-PreaM, DarKWorM, Brian, |GeCCe|,

BİXİi , EkBeR-I DeRYa

ч

.: [SS] CSDT- Atabeyler TIM - Atabeyler.Org

-########_______________________________________________________________________________________ ####