Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtSteffen Rösemann1337DAY-ID-23011
HistoryDec 18, 2014 - 12:00 a.m.

Papoo CMS 6.0.0 Rev. 4701 - Stored XSS Vulnerability

2014-12-1800:00:00
Steffen Rösemann
0day.today
12
JSON

Exploit for php platform in category web applications

Advisory: Persistent XSS Vulnerability in CMS Papoo Light v6
Author: Steffen Rösemann
Affected Software: CMS Papoo Version 6.0.0 Rev. 4701
Vendor URL: http://www.papoo.de/
Vendor Status: fixed
CVE-ID: -
 
==========================
Vulnerability Description:
==========================
 
The CMS Papoo Light Version has a persistent XSS vulnerability in its guestbook functionality and in its user-registration functionality.
 
==================
Technical Details:
==================
 
XSS-Vulnerability #1:
 
Papoo Light CMS v6 provides the functionality to post comments on a guestbook via the following url: http://{target-url}/guestbook.php?menuid=6.
 
The input fields with the id „author“ is vulnerable to XSS which gets stored in the database and makes that vulnerability persistent.
 
Payload-Examples:
 
<img src='n' onerror=“javascript:alert('XSS')“ >
<iframe src=“some_remote_source“></iframe>
 
XSS-Vulnerability #2:
 
People can register themselves on Papoo Light v6 CMS at http://{target-url}/account.php?menuid=2. Instead of using a proper username, an attacker can inject HTML and/or JavaScriptcode on the username input-field.
 
Code gets written to the database backend then. Attacker only has to confirm his/her e-mail address to be able to login and spread the code by posting to the forum or the guestbook where the username is displayed.
 
Payload-Examples:
 
see above (XSS #1)
 
=========
Solution:
=========
 
Update to the latest version
 
====================
Disclosure Timeline:
====================
13-Dec-2014 – found XSS #1
13-Dec-2014 - informed the developers (XSS #1)
14-Dec-2014 – found XSS #2
14-Dec-2014 – informed the developers (XSS #2)
15-Dec-2014 - release date of this security advisory
15-Dec-2014 - response and fix by vendor
15-Dec-2014 - post on BugTraq
 
========
Credits:
========
 
Vulnerability found and advisory written by Steffen Rösemann.
 
===========
References:
===========
 
http://www.papoo.de/
http://sroesemann.blogspot.de

#  0day.today [2018-03-10]  #
JSON