Textpattern 4.2.0 (txplib_db) Null Termination Cross-Site Scripting Vulnerability


Vendor: Team Textpattern
Product web page: http://www.textpattern.com
Affected version: 4.2.0


Summary: Textpattern is an open source content management system
unlike any other; it allows you to easily create, edit and publish
content and make it beautiful in a professional, standards-compliant
manner.


Desc: Textpattern CMS version 4.2.0 suffers from a XSS vulnerability.
Input passed via the "q" parameter to Textpattern (TXP) Tag Library
(txplib_db.php) is not properly sanitised before being returned to
the user. This can be exploited to execute arbitrary HTML and script
code in a user's browser session in context of an affected site.


Tested on: Microsoft Windows XP Professional SP3 (EN)
           PHP 5.3.0
           MySQL 5.1.36
           Apache 2.2.11 (Win32)


Vendor status: [05.09.2010] Vulnerability discovered.
               [05.09.2010] Initial contact with the vendor.
               [07.09.2010] No reply from vendor.
               [08.09.2010] Public advisory released.


Vulnerability discovered by: Gjoko 'LiquidWorm' Krstic
                             Zero Science Lab - http://www.zeroscience.mk
                             liquidworm gmail com


Zero Science Lab Advisory ID: ZSL-2010-4963

Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4963.php


PoC:

 http://127.0.0.1/?q=%00<script>alert(document.cookie)</script>