Persistent XSS Vulnerability in CMS Papoo Light v6.0.0 Rev. 4701

2014-12-22T00:00:00

Description

Advisory: Persistent XSS Vulnerability in CMS Papoo Light v6 Advisory ID: SROEADV-2014-01 Author: Steffen Rцsemann Affected Software: CMS Papoo Version 6.0.0 Rev. 4701 Vendor URL: http://www.papoo.de/ Vendor Status: fixed CVE-ID: - ========================== Vulnerability Description: ========================== The CMS Papoo Light Version has a persistent XSS vulnerability in its guestbook functionality and in its user-registration functionality. ================== Technical Details: ================== XSS-Vulnerability #1: Papoo Light CMS v6 provides the functionality to post comments on a guestbook via the following url: http://{target-url}/guestbook.php?menuid=6. The input fields with the id „author“ is vulnerable to XSS which gets stored in the database and makes that vulnerability persistent. Payload-Examples: <img src='n' onerror=“javascript:alert('XSS')“ > <iframe src=“some_remote_source“></iframe> XSS-Vulnerability #2: People can register themselves on Papoo Light v6 CMS at http://{target-url}/account.php?menuid=2. Instead of using a proper username, an attacker can inject HTML and/or JavaScriptcode on the username input-field. Code gets written to the database backend then. Attacker only has to confirm his/her e-mail address to be able to login and spread the code by posting to the forum or the guestbook where the username is displayed. Payload-Examples: see above (XSS #1) ========= Solution: ========= Update to the latest version ==================== Disclosure Timeline: ==================== 13-Dec-2014 – found XSS #1 13-Dec-2014 - informed the developers (XSS #1) 14-Dec-2014 – found XSS #2 14-Dec-2014 – informed the developers (XSS #2) 15-Dec-2014 - release date of this security advisory 15-Dec-2014 - response and fix by vendor 15-Dec-2014 - post on BugTraq ======== Credits: ======== Vulnerability found and advisory written by Steffen Rцsemann. =========== References: =========== http://www.papoo.de/ http://sroesemann.blogspot.de

{"id": "SECURITYVULNS:DOC:31531", "bulletinFamily": "software", "title": "Persistent XSS Vulnerability in CMS Papoo Light v6.0.0 Rev. 4701", "description": "\r\n\r\nAdvisory: Persistent XSS Vulnerability in CMS Papoo Light v6\r\nAdvisory ID: SROEADV-2014-01\r\nAuthor: Steffen R\u0446semann\r\nAffected Software: CMS Papoo Version 6.0.0 Rev. 4701\r\nVendor URL: http://www.papoo.de/\r\nVendor Status: fixed\r\nCVE-ID: -\r\n\r\n==========================\r\nVulnerability Description:\r\n==========================\r\n\r\nThe CMS Papoo Light Version has a persistent XSS vulnerability in its guestbook functionality and in its user-registration functionality.\r\n\r\n==================\r\nTechnical Details:\r\n==================\r\n\r\nXSS-Vulnerability #1:\r\n\r\nPapoo Light CMS v6 provides the functionality to post comments on a guestbook via the following url: http://{target-url}/guestbook.php?menuid=6.\r\n\r\nThe input fields with the id \u201eauthor\u201c is vulnerable to XSS which gets stored in the database and makes that vulnerability persistent.\r\n\r\nPayload-Examples:\r\n\r\n<img src='n' onerror=\u201cjavascript:alert('XSS')\u201c >\r\n<iframe src=\u201csome_remote_source\u201c></iframe>\r\n\r\nXSS-Vulnerability #2:\r\n\r\nPeople can register themselves on Papoo Light v6 CMS at http://{target-url}/account.php?menuid=2. Instead of using a proper username, an attacker can inject HTML and/or JavaScriptcode on the username input-field.\r\n\r\nCode gets written to the database backend then. Attacker only has to confirm his/her e-mail address to be able to login and spread the code by posting to the forum or the guestbook where the username is displayed.\r\n\r\nPayload-Examples:\r\n\r\nsee above (XSS #1)\r\n\r\n=========\r\nSolution:\r\n=========\r\n\r\nUpdate to the latest version\r\n\r\n====================\r\nDisclosure Timeline:\r\n====================\r\n13-Dec-2014 \u2013 found XSS #1\r\n13-Dec-2014 - informed the developers (XSS #1)\r\n14-Dec-2014 \u2013 found XSS #2\r\n14-Dec-2014 \u2013 informed the developers (XSS #2)\r\n15-Dec-2014 - release date of this security advisory\r\n15-Dec-2014 - response and fix by vendor\r\n15-Dec-2014 - post on BugTraq\r\n\r\n========\r\nCredits:\r\n========\r\n\r\nVulnerability found and advisory written by Steffen R\u0446semann.\r\n\r\n===========\r\nReferences:\r\n===========\r\n\r\nhttp://www.papoo.de/\r\nhttp://sroesemann.blogspot.de\r\n\r\n", "published": "2014-12-22T00:00:00", "modified": "2014-12-22T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31531", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:56", "edition": 1, "viewCount": 79, "enchantments": {"score": {"value": -0.1, "vector": "NONE"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:14155"]}], "rev": 4}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.1}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645556721, "score": 1659803227}, "_internal": {"score_hash": "853f808f7826c773950f7a3665e5042f"}}