Multiple vulnerabilities have been discovered in Elxis CMS, which can be exploited by malicious users to conduct script insertion and SQL injection attacks and by malicious people to conduct cross-site scripting, cross-site request forgery, and SQL injection attacks.

1) Input passed via the "search" POST parameter to administrator/index2.php (when e.g. "option" is set to "com_frontend") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) Input passed via the "name" and "misc" (when "option" is set to "com_contact") and "title" (when "option" is set to "com_modules") POST parameters to administrator/index2.php is not properly sanitised before being used and returned to the user. This can be exploited to insert arbitrary HTML and script code, which will get executed in a user's browser session in context of an affected site when the malicious data is being viewed.

3) Input passed via the "id" POST parameter to administrator/index2.php (when "option" is set to "com_content" and "task" is set to "save") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation of this vulnerability requires that "magic_quotes_gpc" is disabled.

4) The application allows users to perform certain actions via HTTP requests without making proper validity checks to verify the requests. This can be exploited to e.g. manipulate contact information in the administrative section by tricking an administrative user into visiting a malicious web site while being logged in to the application.

5) Input passed via the "X-Forwarded-For" HTTP header to index.php (when "option" is set to "com_poll" and "Itemid" is set) is not properly sanitised in components/com_poll/poll.php before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

6) Input passed via the "usercookie[password]" cookie parameter to index.php is not properly sanitised in the "login()" function in includes/Core/elxis.php before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation of vulnerabilities #5 and #6 requires that "magic_quotes_gpc" is disabled.

NOTE: Vulnerabilities #2 and #3 can be used in conjunction with vulnerability #4.

These vulnerabilities are confirmed in version 2009.2 rev2631. Other versions may also be affected.

7) Input passed to the "i" parameter in includes/simplepie/handler_image.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

This vulnerability is confirmed in version 2009.3 rev2684. Other versions may also be affected.

Solution
Update to version 2009.3 Aphrodite rev2684 which fixes vulnerabilities #2, #3, #5, and #6. Edit the source code to ensure that input is properly sanitised. Do not browse untrusted sites or follow untrusted links while being logged-in to the application.

Provided and/or discovered by
1-6) High-Tech Bridge SA. Additional information with regards to vulnerability #1 provided by mr.pr0n (@_pr0n_).
7) Maciej Gojny, Ariko-Security

Changelog
Further details available to Secunia VIM customers

Original Advisory
Elxis CMS:
http://forum.elxis.org/index.php?topic=5144.msg35079#msg35079
http://forum.elxis.org/index.php?topic=5144.msg35080#msg35080
http://forum.elxis.org/index.php?topic=5144.msg35083#msg35083
http://forum.elxis.org/index.php?topic=5144.msg35082#msg35082
http://forum.elxis.org/index.php?topic=5144.msg36392#msg36392
http://forum.elxis.org/index.php?topic=5144.msg36395#msg36395

HTB22613:
http://www.htbridge.ch/advisory/sql_injection_vulnerability_in_elxis_cms.html

HTB22614:
http://www.htbridge.ch/advisory/xss_vulnerability_in_elxis_cms.html

HTB22615:
http://www.htbridge.ch/advisory/xss_vulnerability_in_elxis_cms_contacts.html

HTB22616:
http://www.htbridge.ch/advisory/xss_vulnerability_in_elxis_cms_polls_module.html

HTB22699:
http://www.htbridge.ch/advisory/sql_injection_in_elxis_cms.html

HTB22700:
http://www.htbridge.ch/advisory/sql_injection_in_elxis_cms_1.html

mr.pr0n:
http://packetstormsecurity.org/files/view/104364/elxis-sessionxss.txt

Maciej Gojny:
http://advisories.ariko-security.com/2012/audyt_bezpieczenstwa_3m2.html

Deep Links
Links available to Secunia VIM customers