ID PACKETSTORM:134187 Type packetstorm Reporter Tim Coen Modified 2015-11-03T00:00:00
Description
`Security Advisory - Curesec Research Team
1. Introduction
Affected Product: Chyrp CMS 2.5.2
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Github: https://github.com/chyrp/chyrp
Vulnerability Type: XSS
Remote Exploitable: Yes
Reported to vendor: 09/01/2015
Disclosed to public: 10/07/2015
Release mode: Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Vulnerability Description
There is an XSS vulnerability in Chyrp CMS 2.5.2. With this, it is possible to
steal cookies, bypass CSRF protection, or inject JavaScript keyloggers.
The vulnerability exists because the key of all GET arguments is echoed without
encoding.
3. Proof of Concept
http://localhost/chyrp/themes/firecrest/images/dots-green.gif?"></script><script>alert(1)</script>=1
4. Code
/includes/class/Theme.php:231
public function javascripts() {
$config = Config::current();
$route = Route::current();
$args = "";
foreach ($_GET as $key => $val)
if (!empty($val) and $val != $route->action)
$args.= "&".$key."=".urlencode($val);
$javascripts = array($config->chyrp_url."/includes/lib/gz.php?file=jquery.js",
$config->chyrp_url."/includes/lib/gz.php?file=plugins.js",
$config->chyrp_url.'/includes/javascript.php?action='.$route->action.$args);
5. Solution
This issue was not fixed by the vendor.
6. Report Timeline
09/01/2015 Informed Vendor about Issue (no reply)
09/22/2015 Reminded Vendor of disclosure date (no reply)
10/07/2015 Disclosed to public
Blog Reference:
http://blog.curesec.com/article/blog/Chyrp-CMS-252-XSS-61.html
`
{"type": "packetstorm", "published": "2015-11-03T00:00:00", "reporter": "Tim Coen", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "5117903888476eeae1794ad54bb54b7f"}, {"key": "modified", "hash": "223b41719c4257204693de5aea52ffa5"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "223b41719c4257204693de5aea52ffa5"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "c3f647cf85a6d6783e846f7be2a2747c"}, {"key": "sourceData", "hash": "d1ec675ffb11e72f3d20118c838a9a2a"}, {"key": "sourceHref", "hash": "9c59d211166ff2a43658cad54a05a554"}, {"key": "title", "hash": "928101acab3ea9094ce0c326856c45f1"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "bulletinFamily": "exploit", "cvss": {"vector": "NONE", "score": 0.0}, "sourceData": "`Security Advisory - Curesec Research Team \n \n1. Introduction \n \nAffected Product: Chyrp CMS 2.5.2 \nFixed in: not fixed \nFixed Version Link: n/a \nVendor Github: https://github.com/chyrp/chyrp \nVulnerability Type: XSS \nRemote Exploitable: Yes \nReported to vendor: 09/01/2015 \nDisclosed to public: 10/07/2015 \nRelease mode: Full Disclosure \nCVE: n/a \nCredits Tim Coen of Curesec GmbH \n \n2. Vulnerability Description \n \nThere is an XSS vulnerability in Chyrp CMS 2.5.2. With this, it is possible to \nsteal cookies, bypass CSRF protection, or inject JavaScript keyloggers. \n \nThe vulnerability exists because the key of all GET arguments is echoed without \nencoding. \n \n3. Proof of Concept \n \n \nhttp://localhost/chyrp/themes/firecrest/images/dots-green.gif?\"></script><script>alert(1)</script>=1 \n \n4. Code \n \n \n/includes/class/Theme.php:231 \npublic function javascripts() { \n$config = Config::current(); \n$route = Route::current(); \n \n$args = \"\"; \nforeach ($_GET as $key => $val) \nif (!empty($val) and $val != $route->action) \n$args.= \"&\".$key.\"=\".urlencode($val); \n \n$javascripts = array($config->chyrp_url.\"/includes/lib/gz.php?file=jquery.js\", \n$config->chyrp_url.\"/includes/lib/gz.php?file=plugins.js\", \n$config->chyrp_url.'/includes/javascript.php?action='.$route->action.$args); \n \n5. Solution \n \nThis issue was not fixed by the vendor. \n \n6. Report Timeline \n \n09/01/2015 Informed Vendor about Issue (no reply) \n09/22/2015 Reminded Vendor of disclosure date (no reply) \n10/07/2015 Disclosed to public \n \n \nBlog Reference: \nhttp://blog.curesec.com/article/blog/Chyrp-CMS-252-XSS-61.html \n \n \n`\n", "viewCount": 0, "history": [], "lastseen": "2016-11-03T10:19:23", "objectVersion": "1.2", "href": "https://packetstormsecurity.com/files/134187/Chyrp-CMS-2.5.2-Cross-Site-Scripting.html", "sourceHref": "https://packetstormsecurity.com/files/download/134187/chyrpcms252-xss.txt", "title": "Chyrp CMS 2.5.2 Cross Site Scripting", "enchantments": {"score": {"vector": "NONE", "value": 4.3}, "vulnersScore": 4.3}, "references": [], "id": "PACKETSTORM:134187", "hash": "ed70e99beacc07f6880da185952a1df5a60eb5ea222302a3951afd5e98d85046", "edition": 1, "cvelist": [], "modified": "2015-11-03T00:00:00", "description": ""}
