David Vieira-Kurz has reported some vulnerabilities in moziloCMS, which can be exploited by malicious people to conduct cross-site scripting and session fixation attacks and disclose sensitive information.

1) Input passed to the "file" parameter in download.php and "page" in index.php is not properly sanitised before being used. This can be exploited to download arbitrary files via directory traversal attacks.

2) Input passed to the "page" and "query" parameters in index.php, "cat" and "file" in download.php, "gal" in gallery.php, and the URL in admin/login.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

3) A vulnerability is caused due to an error in the handling of sessions and can be exploited to hijack another user's session by tricking the user into logging in after following a specially crafted link.

The vulnerabilities are reported in version 1.10.2. Other versions may also be affected.

Solution
Reportedly fixed in version 1.11.2.

Provided and/or discovered by
David Vieira-Kurz, MajorSecurity

Changelog
Further details available in Customer Area

Original Advisory
moziloCMS:
http://cms.mozilo.de/index.php?cat=10_moziloCMS&page=60_Changelog

David Vieira-Kurz:
http://www.majorsecurity.de/index_2.php?major_rls=major_rls55

Deep Links
Links available in Customer Area