Vulnerability in PostCalendar

[gcsb <gcsbnz () yahoo com>]

Overview
--------

PostCalendar is an add-on for the popular PostNuke
content management system. It provides a calender that
lets users add events to.

Problem
-------

A user can add an event with unchecked HTML tags in.
This includes the <script> tag which allows an
attacker to steal cookies, redirect the site and much
more.

Exploit
-------

As a logged in user, enter a bogus calendar entry
WITHOUT any html. Hit the preview button. On the
screen you get from that, alter your post to contain
your favorite javascript in between <script></script>
tags. Hit submit.
When a user goes to view your event, the javascript
will execute. (the calander block is not affected by
this, only the main pages).

Vendor Status
-------------

Vendor notified 19/Apr/2002 21:19 PDT. Initial
responce recieved 20 Apr 2002 01:41 PDT (very nice!).
Patch sent to me a few hours later. (Yahoo has it's
times in PDT, ah well). Cool vendor! Thanks dude!

Unsure of next version release, but asked vendor to
release patch if nothing else. Asked vendor if I could
include patch in advisory - but I think he went to
sleep (it was 3:30am his time)...:\

I'll include it anyhow, I'm sure he won't mind :) You
might want to check it doesn't break your site
though...i will take no responsibilty!!! :)

Sign Off
--------

Greets to all the nz2600 peeps!

Disclaimer: I don't work for the GCSB, ok? :)

Thanks,
gcsb.



__________________________________________________
Do You Yahoo!?
Yahoo! Games - play chess, backgammon, pool and more
http://games.yahoo.com/

Attachment: PostCalendar-3.02-patch.tar.gz
Description: PostCalendar-3.02-patch.tar.gz