DYNPG 4.6: XSS

Date: 2016-01-28 09:52:50

1. Introduction

2. Overview

DYNPG is a content management system written in PHP. In version 4.6, it is vulnerable to multiple XSS vulnerabilities.

The vulnerability can lead to the stealing of cookies, or the injection of JavaScript keyloggers. In this case, successful exploitation may lead to code execution if the victim is an admin by allowing the upload of PHP files in the admin area.

3. Details

Multiple Reflected XSS

CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

Description: There are various locations that do not properly encode user input when echoing it, leading to reflected XSS.

Proof of Concept:

http://localhost/DYNPG_46_2014-07-21/_file_edit.php?picID=1&function="><script>alert(1)</script> http://localhost/DYNPG_46_2014-07-21/_tinymce.popup.php?targetArea='</script><script>alert(1)</script> http://localhost/DYNPG_46_2014-07-21/searchbox.inc.php?show="><script>alert('xss')</script>

Persistent XSS

CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N

Description: When showing the list of images, the file name is not sanitized, leading to persistent XSS. A user account is needed that has the right to upload files.

Proof of Concept:

1. Upload file with name: "'\"><img src=no onerror=alert(1)>.png Note that the checkbox "Keep original name of file" must be checked 2. Visit list of images

Self XSS

CVSS: Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N

Description: When inserting an image into the text editor, there is a self-xss vulnerability. It may be possible to exploit this issue in combination with ClickJacking.

Proof of Concept:

1. Visit the text editor: http://localhost/DYNPG_46_2014-07-21/index.php?show=4 2. Click on Insert Image 3. As Image URL, enter: " onerror=alert(1) foo="

4. Solution

To mitigate this issue please upgrade at least to version 4.7:

https://www.dynpg.org/index_en.php

Please note that a newer version might already be available.

5. Report Timeline