CVE-2010-4895

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in chillyCMS version 1.1.3 in the file core/showsite.php. The name parameter (the username field) is echoed back to the page without proper sanitization when login fails. This allows an attacker to inject arbitrary HTML or JavaScript into the response. The condition required is that the user attempts to log in with a crafted username [1][2].

Exploitation

An attacker only needs network access to the vulnerable chillyCMS instance. No authentication is required. The attacker crafts a malicious payload into the name parameter of the login request, for example: ``. When the login fails, the server includes this payload in the response page. The victim's browser then executes the script in the context of the vulnerable application. A user must visit a link crafted by the attacker or submit a form containing the payload [2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session on the affected domain. This can lead to session hijacking, defacement, or theft of sensitive information such as cookies. The attacker does not gain direct server-side control, but may leverage the XSS to perform actions on behalf of the victim [1][2].

Mitigation

The vendor has not released a patch according to available references. As of the advisory, no fix is available. Users are advised to implement input validation or output encoding on the name parameter in core/showsite.php as a workaround. If the application is no longer maintained, migrating to an alternative CMS should be considered [2].