Elefant CMS 1.3.12-RC Cross Site Scripting

2017-02-17T00:00:00
ID PACKETSTORM:141149
Type packetstorm
Reporter Tim Coen
Modified 2017-02-17T00:00:00

Description

                                        
                                            `Security Advisory - Curesec Research Team  
  
1. Introduction  
  
Affected Product: Elefant CMS 1.3.12-RC  
Fixed in: 1.3.13  
Fixed Version https://github.com/jbroadway/elefant/releases/tag/  
Link: elefant_1_3_13_rc  
Vendor Website: https://www.elefantcms.com/  
Vulnerability XSS  
Type:  
Remote Yes  
Exploitable:  
Reported to 09/05/2016  
vendor:  
Disclosed to 02/02/2017  
public:  
Release mode: Coordinated Release  
CVE: n/a (not requested)  
Credits Tim Coen of Curesec GmbH  
  
2. Overview  
  
Elefant is a content managment system written in PHP. In version 1.3.12-RC, it  
is vulnerable to multiple persistent as well as a reflected XSS issue. This  
allows an attacker to steal cookies, inject JavaScript keyloggers, or bypass  
CSRF protection.  
  
3. Details  
  
Persistent XSS: Username  
  
CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N  
  
The username is echoed in various locations in the administration backend  
without encoding, leading to persistent XSS vulnerabilities. A user account is  
required, but the registration is open by default.  
  
Proof of Concept:  
  
1. Register a new user (the registration is open by default). 2. Update the  
profile, as name use: Username<img src=no onerror=alert(1)> To trigger the  
payload: 1. Log in as admin 2. View the edit page for the user, for example:  
http://localhost/user/edit?id=3 Alternatively, the payload is also echoed on  
the page listing all users: http://localhost/admin/versions?id=&type=User As  
well as on the version page: http://localhost/admin/versions?type=User&id=3  
  
Persistent XSS: Version Comparison  
  
CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N  
  
Various fields of various components are echoed unencoded when comparing  
versions of those components. Examples are the user profile fields Name,  
Address, Address 2, City, Title, Company, or About, or the Title, Menu Title,  
Window Title, Description, or Keyword of a page.  
  
Proof of Concept:  
  
The comparison page can for example be seen here: http://localhost/admin/  
compare?id=8&current=no  
  
Persistent XSS: Page & Content Block  
  
CVSS: Medium 4.0 AV:N/AC:L/Au:S/C:N/I:P/A:N  
  
The title of a new webpage is echoed unencoded, leading to persistent XSS. The  
same issue also exists when creating blocks.  
  
A user account with the right to create pages is required. By default, the  
editor role has this right.  
  
Proof of Concept:  
  
Create a new page or block, as title use: </title><img src=no onerror=alert(1)>  
The payload will be echoed in a title tag as well as a h1 tag when viewing the  
page and when editing the page.  
  
Persistent XSS: Blog Post  
  
CVSS: Medium 4.0 AV:N/AC:L/Au:S/C:N/I:P/A:N  
  
The title as well as the tags of a blog post are echoed unencoded, leading to  
persistent XSS.  
  
A user account with the right to create pages is required. By default, the  
editor role has this right  
  
Proof of Concept:  
  
Create a new blog post, as title and tag use: </title>'"><img src=no onerror=  
alert(1)> The payload will be echoed in a title tag, a h1 tag, as well as a  
href tag when viewing the page and when editing the page.  
  
Reflected XSS  
  
CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N  
  
The name parameter of the custom fields component is vulnerable to reflected  
XSS.  
  
Proof of Concept:  
  
GET /admin/extended?extends=User&name=%3Cimg%20src=no%20onerror=alert(1)%3E  
HTTP/1.1  
  
4. Solution  
  
To mitigate this issue please upgrade at least to version 1.3.13.  
  
Please note that a newer version might already be available.  
  
5. Report Timeline  
  
09/05/2016 Informed Vendor about Issue, Vendor announces fix  
11/07/2016 Asked Vendor if recent releases fixes issues, Vendor confirmed  
02/02/2017 Disclosed to public  
  
  
Blog Reference:  
https://www.curesec.com/blog/article/blog/Elefant-CMS-1312-RC-Multiple-Persistent-and-Reflected-XSS-191.html  
  
--  
blog: https://www.curesec.com/blog  
tweet: https://twitter.com/curesec  
  
Curesec GmbH  
Curesec Research Team  
Josef-Orlopp-StraAe 54  
10365 Berlin, Germany  
  
  
`