Affected products: glFusion developer: http://www.glfusion.org/defect impact: 1.2.2 and probably prior tested version: 1.2.2
Advisory Details: High-Tech Bridge Security Research Lab discovered multiple XSS vulnerabilities in glFusion, which can be exploited to perform Cross-Site Scripting attacks. glFusion has a "bad_behaviour" plugin (installed by default) that verifies HTTP Referer, aimed to protect against spambots. the plugin also makes reflected XSS attacks against the application a little bit more complex. to bypass the security restriction PoC (Proof-of-Concept) codes for vulnerabilities 1.1-1.3 modify the HTTP Referer header. these PoCs were successfully tested in the latest available version of Mozilla Firefox (18.0.1 ). 1) Multiple Cross-Site Scripting (XSS) in glFusion: CVE-2013-1466 1.1 The vulnerability exists due to insufficient filtration of user-supplied data in "subject" http post parameter Pasto sed "/profiles. php "script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. the PoC code below uses "alert ()" JavaScript function to display user's cookies: