Chyrp CMS 2.5.2: XSS
Date: 2015-10-07 15:48:571. Introduction
| Affected Product: | Chyrp CMS 2.5.2 |
| Fixed in: | not fixed |
| Fixed Version Link: | n/a |
| Vendor Github: | https://github.com/chyrp/chyrp |
| Vulnerability Type: | XSS |
| Remote Exploitable: | Yes |
| Reported to vendor: | 09/01/2015 |
| Disclosed to public: | 10/07/2015 |
| Release mode: | Full Disclosure |
| CVE: | n/a |
| Credits | Tim Coen of Curesec GmbH |
2. Vulnerability Description
There is an XSS vulnerability in Chyrp CMS 2.5.2. With this, it is possible to steal cookies, bypass CSRF protection, or inject JavaScript keyloggers.
The vulnerability exists because the key of all GET arguments is echoed without encoding.
3. Proof of Concept
http://localhost/chyrp/themes/firecrest/images/dots-green.gif?"></script><script>alert(1)</script>=1
4. Code
/includes/class/Theme.php:231
public function javascripts() {
$config = Config::current();
$route = Route::current();
$args = "";
foreach ($_GET as $key => $val)
if (!empty($val) and $val != $route->action)
$args.= "&".$key."=".urlencode($val);
$javascripts = array($config->chyrp_url."/includes/lib/gz.php?file=jquery.js",
$config->chyrp_url."/includes/lib/gz.php?file=plugins.js",
$config->chyrp_url.'/includes/javascript.php?action='.$route->action.$args);
5. Solution
This issue was not fixed by the vendor.
6. Report Timeline
| 09/01/2015 | Informed Vendor about Issue (no reply) |
| 09/22/2015 | Reminded Vendor of disclosure date (no reply) |
| 10/07/2015 | Disclosed to public |