======================================================================

DEVWERKS SECURITY ADVISORY www.devwerks.net

======================================================================

devWerks Advisory ID: DW-2016-007

Application: UliCMS <= 9.8.5
     Vendor: UliCMS
    Subject: Cross-site Scripting - XSS

     Author: Johannes Schroeter (j.schroeter@devwerks.net)
       Date: 2016-10-15
       
======================================================================
Overview:

UliCMS is the ideal platform for developing small to medium sized websites. 
The software combines incomparable stability in an Open Source CMS environment, 
with low maintenance requirements and ease of use. With UliCMS you can use your 
time as a webmaster for your project. You don't have to waste your time for 
maintaining your CMS. This internet proven content management solution packs in 
all the functionality your business needs today and in the future of the 
Internet, including Access Control List, good extensibility and WYSIWYG content 
editing using CKEditor. It's the rock solid content management solution you'd 
expect from UliCMS.

devWerks discovered a security flaw in the UliCMS
web application, which allows execution of malicious code.

======================================================================
Details:

This particular vulnerability exists within the applications profile view
function and is due to improper input sanitization. For example, javascript
could be added and because of a lack of input sanitization/validation, the 
javascript would execute within the context of the UliCMS web application.

Code:
ulicms/admin/inc/admins_edit.php 

line 34:
    echo $row->username;
line 46:
    echo $row->lastname; 
line 51:
    echo $row->firstname; 
line 57:
    echo $row->email; 
line 132:
    value="<?php echo $row -> homepage?>"> <br /> <br /> <strong><?php 
lines 136-140:
    value="<?php echo $row -> twitter?>"> <br /> <br /> <strong>
    <?php translate("icq");?></strong>
    <br /> <input type="text" name="icq_id"
    value="<?php echo $row -> icq_id?>"> <br /> <br /> <strong>
    <?php translate("skype");?></strong>
    <br /> <input type="text" name="skype_id"
    value="<?php echo $row -> skype_id?>"> <br /> <br /> <strong>
    <?php translate("html_editor");?></strong>
    
======================================================================
Timeline:

2016-10-02: Vendor notified
2016-10-02: Vendor response
2016-10-06: Vulnerability details sent to vendor 
2016-10-06: Vendor confirmed security issue
2016-10-09: Release of patches for current supported versions 9.0.1, 9.8.4 and 9.8.5
2016-10-15: Public release of this advisory

======================================================================
Recommendation:

It is recommended to install the latest patch.

Grab your copy at:

http://www.ulicms.de/

======================================================================
References:

http://www.ulicms.de
http://devwerks.net
http://en.ulicms.de/aktuelles.html?single=xss-security-issue-in-user-edit-form-fixed