Persistent XSS Vulnerability in CMS Papoo Light v6.0.0 Rev. 4701


Advisory: Persistent XSS Vulnerability in CMS Papoo Light v6 Advisory ID: SROEADV-2014-01 Author: Steffen Rцsemann Affected Software: CMS Papoo Version 6.0.0 Rev. 4701 Vendor URL: http://www.papoo.de/ Vendor Status: fixed CVE-ID: - ========================== Vulnerability Description: ========================== The CMS Papoo Light Version has a persistent XSS vulnerability in its guestbook functionality and in its user-registration functionality. ================== Technical Details: ================== XSS-Vulnerability #1: Papoo Light CMS v6 provides the functionality to post comments on a guestbook via the following url: http://{target-url}/guestbook.php?menuid=6. The input fields with the id „author“ is vulnerable to XSS which gets stored in the database and makes that vulnerability persistent. Payload-Examples: <img src='n' onerror=“javascript:alert('XSS')“ > <iframe src=“some_remote_source“></iframe> XSS-Vulnerability #2: People can register themselves on Papoo Light v6 CMS at http://{target-url}/account.php?menuid=2. Instead of using a proper username, an attacker can inject HTML and/or JavaScriptcode on the username input-field. Code gets written to the database backend then. Attacker only has to confirm his/her e-mail address to be able to login and spread the code by posting to the forum or the guestbook where the username is displayed. Payload-Examples: see above (XSS #1) ========= Solution: ========= Update to the latest version ==================== Disclosure Timeline: ==================== 13-Dec-2014 – found XSS #1 13-Dec-2014 - informed the developers (XSS #1) 14-Dec-2014 – found XSS #2 14-Dec-2014 – informed the developers (XSS #2) 15-Dec-2014 - release date of this security advisory 15-Dec-2014 - response and fix by vendor 15-Dec-2014 - post on BugTraq ======== Credits: ======== Vulnerability found and advisory written by Steffen Rцsemann. =========== References: =========== http://www.papoo.de/ http://sroesemann.blogspot.de