Latest YouTube Video

Saturday, November 14, 2015

[FD] ClipperCMS 1.3.0: XSS

Security Advisory - Curesec Research Team 1. Introduction Affected Product: ClipperCMS 1.3.0 Fixed in: not fixed Fixed Version Link: n/a Vendor Website: http://ift.tt/1NRZoqj Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 10/02/2015 Disclosed to public: 11/13/2015 Release mode: Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview There are various XSS vulnerabilities in ClipperCMS 1.3.0. Some require specific non-default settings, while others do not require these settings. 3. XSS 1 CVSS Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Proof of Concept http://localhost/ClipperCMS-clipper_1.3.0/manager/media/browser/mcpuk/connectors/php/connector.php?foo=bar 4. XSS 2 CVSS Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description The name, email, message, and subjected parameter of the Contact form are vulnerable to XSS. Contrary to the XSS issues in the admin area described below, these XSS work without clickjacking or specific settings regarding referers. Proof of Concept The POCs for name and subjected are equivalent to this POC for email:
POC for message:
" />
5. XSS 3 CVSS Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N Description The search field of the System Events page is vulnerable to XSS. To execute the provided POC, the setting "Validate HTTP_REFERER headers" should be set to false. Please note that it is likely possible to exploit this issue via ClickJacking even if that setting is set to true. Proof of Concept
6. XSS 4ff CVSS Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N Description Multiple parameters of various components of the admin area are vulnerable to XSS. To execute these POC, the setting "Validate HTTP_REFERER headers" should be set to false. Proof of Concept http://localhost//ClipperCMS-clipper_1.3.0/manager/index.php?a=75&r=);}alert(1);function foo(){doRefresh( http://localhost/ClipperCMS-clipper_1.3.0/manager/index.php?a=31&mode=drill&path=foo';alert(1);var bar=' http://localhost/ClipperCMS-clipper_1.3.0/manager/index.php?a=88">&id=1 http://ift.tt/1kUvBBQ">&op=&search=test http://localhost/ClipperCMS-clipper_1.3.0/manager/index.php?a=88&id=1"> 7. Solution This issue has not been fixed by the vendor. 8. Report Timeline 10/02/2015 Informed Vendor about Issue (no reply) 10/21/2015 Reminded Vendor of Disclosure Date (no reply) 11/13/2015 Disclosed to public Blog Reference: http://ift.tt/1kUvBS4

Source: Gmail -> IFTTT-> Blogger

No comments: