CVE-2010-5030

Vulnerability

Ecomat CMS version 5.0 (and possibly prior versions) contains a reflected cross-site scripting vulnerability in the index.php script. The lang parameter, when passed in a web action, is not properly sanitized before being reflected back to the user. This allows an attacker to inject arbitrary HTML or JavaScript code [1].

Exploitation

The attacker can exploit this vulnerability by crafting a malicious URL that includes a specially crafted lang parameter. The proof-of-concept URL http://host/index.php?type=web&lang=xx%22+onmouseover=alert%28123%29+style=position:absolute;left:0;top:0;width:100%;height:100%+&show=25&mhs=0 triggers the XSS when the victim hovers over the page area. No authentication or prior access is required; the attacker only needs to lure a victim into clicking or visiting the crafted link [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript code in the context of the victim's browser session. This can lead to theft of cookie-based authentication credentials, disclosure or modification of sensitive data, and compromise of the application for the affected user [1].

Mitigation

As of the referenced advisory (published 2010-05-18), the vendor (Codefabrik GmbH) was alerted but no fix had been released and the vulnerability status remains "Not Fixed, Vendor Alerted, Awaiting Vendor Response." Users should implement input validation for the lang parameter or apply a web application firewall rule to block malicious patterns. No patched version has been confirmed in available references [1].