{"id":49,"date":"2012-06-19T12:09:02","date_gmt":"2012-06-19T10:09:02","guid":{"rendered":"http:\/\/www.enye-sec.org\/en\/?p=49"},"modified":"2012-06-28T13:23:04","modified_gmt":"2012-06-28T11:23:04","slug":"basekit-bug-xss-advisory","status":"publish","type":"post","link":"https:\/\/www.enye-sec.org\/en\/advisories\/basekit-bug-xss-advisory\/","title":{"rendered":"BaseKit bug XSS Advisory"},"content":{"rendered":"

I contacted BaseKit.com<\/a> company 45 days ago to warn about a bug XSS (Cross Site Scripting<\/em>) in their systems. They told me that in 15 days it would be solved, but have passed 45 days and the error still exists<\/strong>, so I’ve decided to publish it.<\/p>\n

BaseKit.com<\/a> is a company that sells a service for creating online websites easily with a visual editor. On their website they advertise that have been created 228,000 web pages<\/strong> using their system.<\/p>\n

Their system uses HTTP rewrite module, and therefore never reached an HTTP error number 404. All URL’s are injected into the source code as follows:<\/p>\n

<link rel=\u201dstylesheet\u201d type=\u201dtext\/css\u201d href=\u201dhttp:\/\/DOMAIN.COM\/PATH<\/strong>?startcss=true\u201d \/><\/p><\/blockquote>\n

PATH<\/strong> is not filtered in any way, so you can put HTML code in URL and it will be copied to source code.<\/p>\n

For example, with a URL as:<\/p>\n

http:\/\/DOMAIN.COM\/\u201d><script>alert(document.cookie);<\/script><\/p><\/blockquote>\n

It will be copied as:<\/p>\n

<link rel=\u201dstylesheet\u201d type=\u201dtext\/css\u201d href=\u201dhttp:\/\/DOMAIN.COM\/\u201d><script>alert(document.cookie);<\/script>?startcss=true\u201d \/><\/p><\/blockquote>\n

So you can execute javascript code<\/strong>.<\/p>\n

On their website BaseKit.com<\/a> you can see examples of pages created with your system, you can check the bug in a real website with next link:<\/p>\n

http:\/\/www.instalcesped.com\/\u201d><script>alert(document.cookie);<\/script><\/a><\/p>\n

<\/div>\n","protected":false},"excerpt":{"rendered":"

I contacted BaseKit.com company 45 days ago to warn about a bug XSS (Cross Site Scripting) in their systems. They told me that in 15 days it would be solved, but have passed 45 days and the error still exists, so I’ve decided to publish it. BaseKit.com is a company that sells a service for […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[31,32,30,29,24,28],"class_list":["post-49","post","type-post","status-publish","format-standard","hentry","category-advisories","tag-advisory","tag-basekit","tag-bug","tag-cross-site-scripting","tag-raise","tag-xss"],"_links":{"self":[{"href":"https:\/\/www.enye-sec.org\/en\/wp-json\/wp\/v2\/posts\/49"}],"collection":[{"href":"https:\/\/www.enye-sec.org\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.enye-sec.org\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.enye-sec.org\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.enye-sec.org\/en\/wp-json\/wp\/v2\/comments?post=49"}],"version-history":[{"count":19,"href":"https:\/\/www.enye-sec.org\/en\/wp-json\/wp\/v2\/posts\/49\/revisions"}],"predecessor-version":[{"id":74,"href":"https:\/\/www.enye-sec.org\/en\/wp-json\/wp\/v2\/posts\/49\/revisions\/74"}],"wp:attachment":[{"href":"https:\/\/www.enye-sec.org\/en\/wp-json\/wp\/v2\/media?parent=49"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.enye-sec.org\/en\/wp-json\/wp\/v2\/categories?post=49"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.enye-sec.org\/en\/wp-json\/wp\/v2\/tags?post=49"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}