Chyrp CMS version 2.5.2 suffers from a cross site scripting vulnerability.
83bca201d29ab70c1bde980fbed88a3c5b010df44c4f99ec14e273e3548fa878
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: Chyrp CMS 2.5.2
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Github: https://github.com/chyrp/chyrp
Vulnerability Type: XSS
Remote Exploitable: Yes
Reported to vendor: 09/01/2015
Disclosed to public: 10/07/2015
Release mode: Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Vulnerability Description
There is an XSS vulnerability in Chyrp CMS 2.5.2. With this, it is possible to
steal cookies, bypass CSRF protection, or inject JavaScript keyloggers.
The vulnerability exists because the key of all GET arguments is echoed without
encoding.
3. Proof of Concept
http://localhost/chyrp/themes/firecrest/images/dots-green.gif?"></script><script>alert(1)</script>=1
4. Code
/includes/class/Theme.php:231
public function javascripts() {
$config = Config::current();
$route = Route::current();
$args = "";
foreach ($_GET as $key => $val)
if (!empty($val) and $val != $route->action)
$args.= "&".$key."=".urlencode($val);
$javascripts = array($config->chyrp_url."/includes/lib/gz.php?file=jquery.js",
$config->chyrp_url."/includes/lib/gz.php?file=plugins.js",
$config->chyrp_url.'/includes/javascript.php?action='.$route->action.$args);
5. Solution
This issue was not fixed by the vendor.
6. Report Timeline
09/01/2015 Informed Vendor about Issue (no reply)
09/22/2015 Reminded Vendor of disclosure date (no reply)
10/07/2015 Disclosed to public
Blog Reference:
http://blog.curesec.com/article/blog/Chyrp-CMS-252-XSS-61.html